Last year, it was the wp-login.php brute force attack where bots kept trying to log on to websites by guessing the user name and password.
A basic step in protecting a WordPress website is not to have a user called ‘admin’.
For the last two weeks, there has been a wave of new attacks.
The new brute force attack tries to exploit XMLRPC in WordPress.
I was seeing thousands of requests to /xmlrpc.php per minute today.
I immediately went to cloudflare control panel and changed the Basic protection level to “I am under attack”. This gave me some breathing space while I figured out how to deal with this.
My first guess was to simply deny http access to that file.
deny from all
However, this isn’t very effective as it will generate a mass amount of 404 pages which WordPress still has to process. It is no better than deleting the file itself.
As a final resort, I used a htaccess rule to redirect access away from the file.
The advantage of this is no high CPU or memory usage.
I added the following code to my .htaccess file
RewriteRule ^xmlrpc\.php$ "http\:\/\/0\.0\.0\.0\/" [R=301,L]
This is not an optimal permanent solution but it will have to do for now unless someone has a better suggestion 🙂 . The attack itself lasted over 8 hours.
Update: The vulnerability that caused this denial of service has been fixed in WordPress 3.9.2 and the above workaround should no longer be needed.