WordPress xmlrpc.php brute force attack

The server that hosts this blog has been down consisnelty for the last several months.  Every time I restart the server to make it work again, a few hours later it would crash again.  I figured some malicious activity was occurring.  I finally found someone trying to brute force attack my wesmahler_wordpress blog using the xmlrpc.php file thousands of times per second, causing my tiny micro AWS EC2 server instance to stop working due to CPU overload.

I tried moving all of my DNS to CloudFlare and turning on DNS protection, but that didn’t seem to fix the issue.  Finally after digging deeper into the issue, they were attacking the file directly using my ip address, because my wesmahler_wordpress blog would render when someone went to the IP address of my server, skipping my actual domain name.  This allowed them to get around my DNS firewall.

I just decided to block the IP address for now, hopefully that’ll do the trick.

$ iptables -I INPUT -s 162.251.161.98 -j DROP

My HTTPD server logs basically looked like this:

162.251.161.98 – – [21/May/2015:05:37:22 +0000] “POST /xmlrpc.php HTTP/1.0” 302 – “-” “Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)”

162.251.161.98 – – [21/May/2015:05:37:22 +0000] “POST /xmlrpc.php HTTP/1.0” 302 – “-” “Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)”

162.251.161.98 – – [21/May/2015:05:37:22 +0000] “POST /xmlrpc.php HTTP/1.0” 302 – “-” “Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)”

162.251.161.98 – – [21/May/2015:05:37:22 +0000] “POST /xmlrpc.php HTTP/1.0” 302 – “-” “Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)”

162.251.161.98 – – [21/May/2015:05:37:22 +0000] “POST /xmlrpc.php HTTP/1.0” 302 – “-” “Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)”

162.251.161.98 – – [21/May/2015:05:37:22 +0000] “POST /xmlrpc.php HTTP/1.0” 302 – “-” “Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)”

162.251.161.98 – – [21/May/2015:05:37:22 +0000] “POST /xmlrpc.php HTTP/1.0” 302 – “-” “Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)”

162.251.161.98 – – [21/May/2015:05:37:22 +0000] “POST /xmlrpc.php HTTP/1.0” 302 – “-” “Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)”

The blog should now be back online. I have several sites hosted on this server, so I wasn’t sure which site was the issue, now it looks like it was this blog and specifcally they were directly hitting the IP address & trying to brute force attack a wesmahler_wordpress file, which seems to be a common issue: https://blog.sucuri.net/2014/07/new-brute-force-attacks-exploiting-xmlrpc-in-wesmahler_wordpress.html