0

I'm hosting a Wordpress-blog on an Apache server (shared hosting). For some reasons I've been receiving like 100 requests per second to xmlrpc.php for a few days.

The access.log looks like this:

...
188.138.33.149 - - [16/Oct/2013:17:46:03 +0200] "POST /xmlrpc.php HTTP/1.1" 403 212 "-" "GoogleBot/1.0"
188.138.33.149 - - [16/Oct/2013:17:46:03 +0200] "POST /xmlrpc.php HTTP/1.1" 403 212 "-" "GoogleBot/1.0"
188.138.33.149 - - [16/Oct/2013:17:46:03 +0200] "POST /xmlrpc.php HTTP/1.1" 403 212 "-""
...

In the .htaccess I applied the following rule:

<Files xmlrpc.php>
    Order Deny,Allow
    Deny from all
</Files>

Is there a better way to prevent the spam?

Hedge
  • 153
  • 1
  • 7

2 Answers2

1

If most of your spam connections are comming from a small number of IP's you may block only those IP's from your .htaccess as described in this link.

Juan Carlos Brown
  • 156
  • 2
0

Had this happen recently and it was killing the server and we're now using fail2ban to mitigate the issue.

Added this config to jail.local:

[apache-xmlrpc]

enabled = true
port = http,https
filter = xmlrpc
logpath = /var/log/apache2/*access.log
maxretry = 30
findtime = 300
bantime = -1

And create the filter in filter.d/apache-xmlrpc.conf:

[Definition]
failregex = ^<HOST> -.*"(GET|POST) .*xmlrpc.php
ignoreregex =

In my case the attacks weren't always coming from googlebot so made the regex a bit more broad but for my purposes there's hardly any good reason for any IP to be hitting xmlrpc 30+ times in 5 minutes.

Eaten by a Grue
  • 282
  • 4
  • 22