Protect your blog

I am famous… Oh, not yet?

So I was checking my daily statistics to make sure that Google bot, Bing bot and Yandex bot checked-in today. And “my oh my” what do I see? hundreds of visits and tens of visitors. “Well, that happened before, when my post got retweeted several times” – I thought to myself. So I decided to check what those visitors are reading.

They were reading ‘/xmlrpc.php’. At this point, I realised I am being attacked. What a wonderful day to be attacked. So I checked some logs and found that this attack is distributed. More than 100 unique IPs were requesting this super awesome post called xmlrpc.php.

Welcome to the internet

So at first I thought it’s some kind of Distributed Denial Of Service. I started googling for ‘WordPress + xmlrpc.php’. I found that WordPress has (or had) something called XML-RPC pingback vulnerability. It actually could turn any WordPress to a part of distributed attack. I installed’Disable XML-RPC Pingback‘ plugin – but nothing changed. Even though my server wasn’t dying I still felt something is wrong here.

After digging a little more, I decided to “sniff” the traffic on my server and see what those requests actually look like. I found something like this:

brute force

brute force

Well someone is obviously trying to own me. So first thing I decided to do is to disable XML-RPC at all (It seems that I don’t really need it and nothing should be affected). I added the following to my apache virtual host configuration:

<Files xmlrpc.php>
     Order Deny,Allow
     Deny from all
</Files>

Boom! all XML-RPC request are getting 403 now. Now that I know it’s harmless I started checking what else can be done and found another nice plugin – BruteProtect. As described on their site:

“BruteProtect is a security plugin that guards against botnets” – sounds great to me –  “When you activate BruteProtect you become a part of an Internet-connected counter force that works against botnets” –  even better where do I sign ?! Installation is simple, once activated you get your key via email copy paste it and you’re protected.

The plugin even gently tells to the bots to F@#$ off:

Your IP (46.127.145.142) has been flagged for potential security violations.  Please try again in a little while...

And you get a nice dashboard to see how many bots were stopped.

bruteprotect dashboard

bruteprotect dashboard

 

Luckily my password is pretty random, complex and long and I suggest you do the same with your password.

At this point, the brute force attack is still running – close to 10 hours. And hundreds of hacked servers all around the world are trying to figure out my password.

visitors map

visitors map

 

Did you ever encounter brute force or any other attack on your blog? What did you do? How did it end? Let me know in the comments.

Comments

comments

4 thoughts on “Protect your blog

Leave a Reply

Your email address will not be published. Required fields are marked *