xmlrpc Denial of Service

Some time ago I found my WordPress site was running extremely slowly. Eventually (i.e. after I’d checked the access log) I realised the delay was being caused by floods of xmlrpc accesses. I disabled xmlrpc and everything went back to normal (I don’t use xmlrpc for anything anyway, so it was no loss).

This was quite a while ago, so when I transferred my site to a new server and about a week later it slowed to a crawl — or worse — I didn’t immediately think of the xmlrpc problem. Apparently one of my hosting services servers had been attacked recently and I assumed it was related to that.

Eventually it occurred to me that I should at least look at the access log, and sure enough, there it was again: floods of xmlrpc accesses!

Now, the trouble with these things is that although I don’t use xmlrpc for anything the xml functionality is going to be called for each of these accesses, and my genuine accesses to the site will hardly get a look in. For a reasonably effective defence I didn’t want WordPress even to have to respond negatively so the best solution, short of investing vast sums of money in enterprise scale solutions, was to drop a few extra lines into a .htaccess file, viz.

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

Which fixed it.

Moral: someone out there evidently gets a kick out of setting up random DoS attacks via xmlrpc. What mystifies me is why they should want to bother. As school teachers used to say, ‘It isn’t clever, and it isn’t funny!’ Just a stupid waste of resources and, what’s more, my time!

Update

Well, that was all fine until I tried to install Jetpack, which, as you probably know, uses xmlrpc to communicate with the site. Knocking out xmlrpc meant that Jetpack couldn’t connect to the site so I couldn’t  use Photon, its built-in CDN. Also, I rather liked the idea of Jetpack monitoring the site so I would get an email if it went down, and checking for spurious logins.

Fortunately there’s a plugin for it. It’s called ‘Stop XML-RPC Attack’ and it appears to work. It polls ARIN for a list of Automattic’s subnets and adds them into the .htaccess file as exceptions to the deny from all. Simple, straightforward and effective.