Preventing WordPress XML-RPC DDOS Attack

WordPress XML-RPC pingback exploits are used in a number of DDoS attacks in the recent times. WordPress is widely used by many websites that uses a content management system, any vulnerability in the WordPress could compromise the website and break down the Network integrity. Hence it is important to secure and mitigate wordpress websites from DDOS attacks.

Exploited Feature – “Pingback”, A simple ‘POST’ request to a file on a vulnerable WordPress server is all that is enough to exploit this vulnerability.
There are three different ways that can be used to protect the server from “XML-RPC DDOS Attack”

1. Disabling XML-RPC using a filter

Add the below lines to your wp-config.php file,

add_filter(‘xmlrpc_enabled’, ‘__return_false’);
require_once(ABSPATH . ‘wp-settings.php’);

2. Installing XML-RPC plugin

https://wordpress.org/plugins/prevent-xmlrpc/ – This plugin completely disables WordPress’s XMLRPC functions, and doesn’t alter or rename any core files. You can enable XMLRPC again by simply disabling this plugin.

3. Using below code in .htaccess file

<Files xmlrpc.php>
     Order Deny,Allow
     Deny from all
     Allow from 127.0.0.1
</Files>

If the wordpress sites are setup with plugins such as Jetpack or any other plugins that will require access to xmlrpc.php, It is important to make the following change in the above code to allow access to developers servers and most of these plugins are accessed via wordpress itself. Hence we will whitelist the IP’s by modifying the above code.

<Files xmlrpc.php>
   Order Allow,Deny
   Allow from 76.74.128.0/17 #wordpress.com
   Allow from 127.0.0.1
   Deny from all
</Files>
or
<Files xmlrpc.php>
    Order Allow,Deny
    Allow from 192.0.64.0/18 #wordpress.com
    Allow from 127.0.0.1
    Allow from 76.74.128.0/17
    Deny from all
</Files>