WordPress uses the Incutio XML-RPC Library, which is totally awesome and amazing and it is a shame that hackers try to exploit this. This is not a new issue with the xmlrpc.php file and the WordPress XML-RPC Server/Library and has been known for quite a while now. Recently there have been several reported DDoS Attacks/Exploits that are exploiting the WordPress XML-RPC Server/Protocol/xmlrpc.php file. For anyone who uses the WordPress XML-RPC server features/capabilities on their website, there is a risk of DDoS exploitation. How high that risk is I do not have a definite “odds or percentage” number, but the reality is that the possibility of DDoS exploitation does exist.
The XML-RPC DDoS PROTECTION Bonus Custom Code .htaccess code below does completely turn off/disable IXR-RPC Client/Server capabilities on a website by protecting the WordPress xmlrpc.php file from being publicly accessible, which prevents the IXR XML-RPC Client/Server connection. Using this code below will turn off/disable remote posting capability from Weblog Clients (A Weblog Client is software you run on your local machine (desktop) that lets you post to your blog via XML-RPC), unless you add (whitelist) your IP address in the XML-RPC DDoS PROTECTION Bonus Code as shown in the example below. If you have added/whitelisted your IP address (or multiple IP addresses) in the XML-RPC DDoS PROTECTION Bonus Custom Code below then you can still remote post to your website.
Special Thanks goes out to Gary Gordon for bringing the recent WordPress XML-RPC DDoS Exploitation Attacks to our attention, which got us moving on creating this WordPress XML-RPC DDoS Protection code below ASAP.
Checking to ensure that the WordPress XML-RPC DDoS Protection .htaccess code is working on your website
BPS: Enter/type in the URL to your xmlrpc.php file on your website. Example: example.com/xmlrpc.php. You should see a 403 Forbidden error, which means your xmlrpc.php file is protected.
BPS Pro: Either use the method above for BPS or use the new BPS Pro Pro-Tool: XML-RPC Exploit Checker to check your local website or check your other websites remotely. The XML-RPC Exploit Checker Pro-Tool uses the IXR XML-RPC Client script to connect to the WordPress IXR Server & also displays Headers for extra confirmation that the xmlrpc.php file is protected.
XML-RPC DDoS PROTECTION Bonus Code
1. Copy the XML-RPC DDoS PROTECTION Bonus Code below to this BPS Root Custom Code text box: CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE
# XML-RPC DDoS PROTECTION # You can whitelist your IP address if you use A Weblog Client # or want to whitelist your IP address for any other reasons. # Example: uncomment #Allow from x.x.x. by deleting the # sign and # replace the x's with your actual IP address. Allow from 99.88.77. # Note: It is recommended that you use 3 octets x.x.x. of your IP address # instead of 4 octets x.x.x.x of your IP address. <FilesMatch "^(xmlrpc\.php)"> Order Deny,Allow Deny from all #Allow from x.x.x. </FilesMatch>
2. Click the Save Root Custom Code button.
3. Go to the Security Modes page, click the Create secure.htaccess File AutoMagic button and activate Root folder BulletProof Mode again.
Notes/Example: If you want to whitelist your IP Address to allow ONLY your IP address to be able to access and connect to/with the xmlrpc.php file and WordPress IXR Server then uncomment the #Allow from x.x.x. line of .htaccess code by removing the # sign in front of “Allow from x.x.x.” and add your actual IP address by replacing the x’s with your actual IP address (your public/ISP IP address is displayed on the BPS System Info page).
Example using IP address 99.88.77.66 (it is recommended that you use 3 octets (x.x.x.) of your IP address instead of 4 octets (x.x.x.x) of your IP address:
<FilesMatch "^(xmlrpc\.php)"> Order Deny,Allow Deny from all Allow from 99.88.77. </FilesMatch>
Double Bonus: Block/Protect the wp-trackback.php file to prevent trackbacks or pingbacks (spambacks) from being possible
WordPress has settings that allow you to turn off trackbacks and pingbacks, but unchecking these WordPress Discussion Settings: ”Allow link notifications from other blogs (pingbacks and trackbacks)” and “Attempt to notify any blogs linked to from the article” does not completely turn off/disable pingback/trackback capabilties on a website. Trackback and Pingback Spammers can still expoit the wp-trackback.php file even if you have turned off/disabled these options.
Using this code below means that you will not be able to get pingbacks and trackbacks from other websites on your website. Personally we have not had good results with allowing trackbacks and pingbacks on our sites. When we were allowing trackbacks/pingbacks 9 out of 10 pingbacks/trackbacks were spam.
# XML-RPC DDoS & TRACKBACK/PINGBACK PROTECTION # Using this code blocks Pingbacks and Trackbacks on your website. # You can whitelist your IP address if you use A Weblog Client # or want to whitelist your IP address for any other reasons. # Example: uncomment #Allow from x.x.x. by deleting the # sign and # replace the x's with your actual IP address. Allow from 99.88.77. # Note: It is recommended that you use 3 octets x.x.x. of your IP address # instead of 4 octets x.x.x.x of your IP address. <FilesMatch "^(xmlrpc\.php|wp-trackback\.php)"> Order Deny,Allow Deny from all #Allow from x.x.x. </FilesMatch>