Howto Block XML RPC Attacks on cPanel/WHM Servers using CSF

Categories

Howto Block XML RPC Attacks on cPanel/WHM Servers using CSF

You are here:

Introduction

XML-RPC is a remote procedure call protocol that uses XML (Extensible Markup Language) to encode the calls that are made via HTTP. One main feature of XML RPC is to allow users to post blogs via weblog clients and also to interact with social media platforms.

Over the past twelve months we have seen an increase in brute force attacks on WordPress installs causing flooding/overloading and ultimately slowing down customers servers. It is possible to block both XML RPC and also other attacks such as wp-login attacks through various methods outlined below.

 

Method 1 – Globally Disable using CSF to Block XML RPC and wp-login Attacks

1) Edit CSF Config either via WHM or SSH through your favourite editor:

nano /etc/csf/csf.conf

locate the line:

vCUSTOM1_LOG = "/var/log/customlog"

and replace it with:

vCUSTOM1_LOG = "/usr/local/apache/domlogs/*/*"

2) Create a function within CSF to detect and block these attacks.

nano /usr/local/csf/bin/regex.custom.pm

Add the following:

# Block IP if more than 10 requests in 3600 for wp-login
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/wp-login\.php.*" /)) {
return ("WP Login Attack",$1,"WPLOGIN","10","80,443","1");
}

# Block IP if more than 10 requests in 3600 for xml-rpc
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/xmlrpc\.php.*" /)) {
return ("WP XMLPRC Attack",$1,"XMLRPC","10","80,443","1");
}

3) Restart CSF and LFD to apply changed:

csf -r
service lfd restart

 

Method 2 – Completely disable XML RPC attacks on a per account basis with cPanel using .htaccess

 

1) Login to your cPanel account and goto the File Manager

2) Goto the public_html directory where your files are located, if your WordPress is installed within this directory then take a backup copy of the .htaccess within this directory, else navigate to your WordPress directory and backup the .htaccess there.

3) If you don’t see the file it is probably because it’s hidden and you need to change the display settings to display hidden files by navigating to the gearbox icon from the top-right corner.

4) Right click the .htaccess file and click edit and add the following:

# Block XML-RPC 
<Files xmlrpc.php> 
order deny,allow 
deny from all 
</Files>

5) Access to your xmlrpc file is now completely disabled, if you need to allow access from specific IPs just add the following below the last </Files> line.

allow from 8.8.8.8

Replacing 8.8.8.8 with the IP you want to access from.

 

 

Next Howto Import and Export a MySQL database in SSH
Table of Contents