XML-RPC is a function in WordPress that allows for remote procedure calls to the application, such as for APIs and other automated tasks.
Unfortunately, the way it is implemented in WordPress makes it easy for this feature to be abused and used to perform DDoS attacks and brute-force attacks (brute-forcing your own WordPress site a well as other WordPress sites). The references below go into further details on understanding how these attacks work. This article is to provide instructions on disabling the abused methods that allow DDoS and Brute Force attacks to take place.
There are several WordPress plug-ins available that offer various security protections. We tested several and were able to find one that worked well for disabling ping-backs, however so far have not found a working plug-in to disable brute-force attacks via XML-RPC in our environment. Therefor the best solution is to disable these methods via code as described below.
INSTRUCTIONS
Locate the folder where your WordPress’s current theme files are located in. Add the following code to the top of your WordPress theme’s functions.php file:
add_filter( ‘xmlrpc_methods’, ‘remove_xmlrpc_pingback_ping’ );
function remove_xmlrpc_pingback_ping( $methods ) {
unset( $methods[‘pingback.ping’] );
return $methods;
} ;
add_filter( ‘xmlrpc_methods’, ‘Remove_Unneeded_XMLRPC’ );
function Remove_Unneeded_XMLRPC( $methods ) {
unset( $methods[‘wp.getUsersBlogs’] );
return $methods;
}
Example:
After an application pool restart the changes will be in effect. If you use any mobile publishing apps, plugins that perform automated backups, or other tools you’ll want to test to make sure those aren’t affected by the changes.
There are other solutions you’ll find online that may or may not work in your environment. The above has been tested on Windows servers running IIS.
IMPORTANT – if you update or change your WordPress theme please remember to re-add the code above to the current theme’s function.php file.
There are other xmlrpc methods that can be abused in the same way (especially for brute force as many methods require authentication), if we determine that additional methods should be blocked we will update this KB with those as well.
References:
WordPress XML-RPC Pingback Attacks:
https://isc.sans.edu/forums/diary/WordPress+Pingback+DDoS+Attacks/17801/
http://wptavern.com/how-to-prevent-WordPress-from-participating-in-pingback-denial-of-service-attacks
https://isc.sans.edu/forums/diary/WordPress+Pingback+DDoS+Attacks/17801/
http://wptavern.com/how-to-prevent-WordPress-from-participating-in-pingback-denial-of-service-attacks
WordPress XML-RPC Brute-Force Attacks:
Content retrieved from: https://support.appliedi.net/kb/a1229/ddos-brute-force-over-xml-rpc-how-to-disable-commonly-abused-functions-in-wordpress.aspx.