I am famous… Oh, not yet?
So I was checking my daily statistics to make sure that Google bot, Bing bot and Yandex bot checked-in today. And “my oh my” what do I see? hundreds of visits and tens of visitors. “Well, that happened before, when my post got retweeted several times” – I thought to myself. So I decided to check what those visitors are reading.
They were reading ‘/xmlrpc.php’. At this point, I realised I am being attacked. What a wonderful day to be attacked. So I checked some logs and found that this attack is distributed. More than 100 unique IPs were requesting this super awesome post called xmlrpc.php.
Welcome to the internet
So at first I thought it’s some kind of Distributed Denial Of Service. I started googling for ‘WordPress + xmlrpc.php’. I found that WordPress has (or had) something called XML-RPC pingback vulnerability. It actually could turn any WordPress to a part of distributed attack. I installed’Disable XML-RPC Pingback‘ plugin – but nothing changed. Even though my server wasn’t dying I still felt something is wrong here.
After digging a little more, I decided to “sniff” the traffic on my server and see what those requests actually look like. I found something like this:
Well someone is obviously trying to own me. So first thing I decided to do is to disable XML-RPC at all (It seems that I don’t really need it and nothing should be affected). I added the following to my apache virtual host configuration:
<Files xmlrpc.php> Order Deny,Allow Deny from all </Files>
Boom! all XML-RPC request are getting 403 now. Now that I know it’s harmless I started checking what else can be done and found another nice plugin – BruteProtect. As described on their site:
“BruteProtect is a security plugin that guards against botnets” – sounds great to me – “When you activate BruteProtect you become a part of an Internet-connected counter force that works against botnets” – even better where do I sign ?! Installation is simple, once activated you get your key via email copy paste it and you’re protected.
The plugin even gently tells to the bots to F@#$ off:
Your IP (18.104.22.168) has been flagged for potential security violations. Please try again in a little while...
And you get a nice dashboard to see how many bots were stopped.
Luckily my password is pretty random, complex and long and I suggest you do the same with your password.
At this point, the brute force attack is still running – close to 10 hours. And hundreds of hacked servers all around the world are trying to figure out my password.
Did you ever encounter brute force or any other attack on your blog? What did you do? How did it end? Let me know in the comments.