WordPress XMLRPC exploit causing problems

Email this to someoneShare on Facebook0Share on Google+0Share on LinkedIn0Share on Tumblr0Share on StumbleUpon0Tweet about this on TwitterShare on Reddit0Pin on Pinterest0

For the past 48 hours or so, I’ve been dealing with extreme server load issues, causing drastic slowdowns and ultimately causing my VPS to crash multiple times.

I found this was due to a DDoS attack on WordPress sites that exploits WP’s post/ping system, which is explained in more depth here.

The interim fix is to disable/redirect XMLRCP via htaccess or, if you’re running CloudFlare, to increase the level of security. I presume (hopefully) that an upcoming WP release will address this issue.

Here’s an htaccess solution that redirects those abusing this to a non-existent IP that worked for me (my server load immediately returned to a normal state):

RewriteRule ^xmlrpc\.php$ "http\:\/\/0\.0\.0\.0\/" [R=301,L]

This will probably cause issues with pinging and remote posting, so please consider it a temporary fix. If you notice your sites are running sluggishly, or that your server is continually crashing, this could be the cause.

To investigate further, check out your latest visitor log in cPanel — if you see something similar to what’s shown in the image below, you’re probably a victim.

wp-ddos

If not, you’re probably unaffected, but it’s something to keep your eye out for!