Learn How To Stop XML-RPC Attacks With .htaccess

Running a PHP application that uses XML-RPC? Learn how to stop XML-RPC attacks & improve your website responsiveness, performance/resource usage.

How To Stop XML-RPC Attacks

If you are running a PHP application that uses XML-RPC, consider blocking these requests or at least limit the requests to a pre-approved list of IPs.

This not only strengthens your website security but also will improve your website responsiveness, performance/resource usage.

But what is XML-RPC and what has it got to do with your website or blog?

The XML-RPC protocol was created by Dave Winer, Mohsen Agsen, Bob Atkinson, and Chris Aldrich in 1998.

The first three worked at Microsoft and Chris Aldrich at UserLand.

XML-RPC gives external systems a way to communicate with a site with HTTP acting as the transport mechanism and XML as the encoding mechanism.

It became popular because it was so simple, and early.

There were implementations in every major language and environment.

For example, it was built into Python and the Macintosh OS. The main blogging APIs were done in XML-RPC.

In PHP, the XMLRPC is the extension that brought XML RPC server and client features to PHP.

The extension though was unbundled in PHP 8.0 because the library and its dependencies have not been updated in several years.

Many content management system uses XML-RPC including WordPress.

In WordPress, the XML-RPC support enables you to post to your WordPress blog using many popular weblog clients.

You can see the complete URL by visiting https://webcomm.dev/xmlrpc.php (where “webcomm.dev” is the name of your WordPress domain).

It also allows other websites to interact with your WordPress website.

But often than not, you don’t need this or may not even be aware that it exists as an option.

Beyond the fact that the extension has been dropped starting with PHP 8.0, XML-RPC requests can also be weaponized to cause your website to respond slowly or even cause it not to respond at all.

This is often done by brute-forcing the file to cause the website to slow as it tries to respond to all the pingbacks and trackbacks.

One of the easy methods to prevent this from hurting you is to ensure that the webserver hosting the application is using Mod Security.

ModSecurity is a web application firewall (WAF) that helps with common web-based attacks like SQL injections, DOS, and other kinds of common HTTP attacks.

Customers hosting their websites/applications at Web Hosting Magic can use ModSecurity to mitigate against such attacks.

But while you are protected, security has always been a collective effort.

It is the only way for it to work as envisioned.

The simplest way to protect your website/application better is by disabling the requests via your .htaccess.

You can do this by editing the file either via cPanel’s File Manager or an SSH terminal.

  • First, log in to your cPanel account.
  • Find the Files section and click on File Manager.
  • This will take you to your account’s public_html (or your website content’s document root).
  • Edit .htaccess or create a new file called .htaccess and paste the following code into the file:
# Block xmlrpc.php requests using the files directive

<Files xmlrpc.php>
  Require all denied
  # Require ip $xxx.xxx.xxx.xxx
</Files>

========
OR
========

# Block xmlrpc.php requests using the filesmatch directive (preferred)
<FilesMatch "^xmlrpc\.php$">
  Require all denied
  # Require ip $xxx.xxx.xxx.xxx
</FilesMatch>

You can visit https://cdn.webhostingmagic.com/knowledgebase/disallow_xmlrpc.txt to download this as plain text.

If you want to allow XML-RPC requests from a particular IP, then replace $xxx.xxx.xxx.xxx with the IP address.

Save and close the file.

If you don’t know how to edit or create a .htaccess file, you can open a support ticket with our team to help you get this done.

If you are running WordPress, you can use a plugin to achieve the same result.

However, we always encourage customers to use fewer plugins instead of more.

To do that:

  • Log in to your wp-admin
  • Visit the Plugins >> Add New section.
  • Search for Disable XML-RPC.
  • Install the plugin.

Our dedicated servers, private virtual machines, or VPS customers can visit the support portal and request that ‘xmlrpc.php’ be disabled server-wide.

We hope that this short tutorial will help you protect your website better against XML-RPC attacks and exploits.

For more information on PHP XML-RPC visit http://www.xmlrpc.com/


Posted

in

,

by