XML-RPC Block Using .htaccess

Reclaim Hosting‘s Ramones server was experiencing some extremely high loads this afternoon, and D’Arcy gave Tim and I a heads-up on Twitter to let us know as much. The A-Team was on the job and more than up to the task!

The first thing we check when we’re getting unusually high loads is the Apache Status in WHM (the GUI interface for managing a CPanel server). We look to see if there is one particular site getting hammered with requests—which is often, though not always, the case with random load spikes.


In the instance earlier today, one WordPress blog was getting hit very hard with login attempts, often referred to as brute force login attempts. But rather than the wp-login.php file, it was the xmlrpc.php file which has been a vulnerability for years because it provides, in the words of my server sensei Tim Owens, “a huge target for brute force login attempts because it bypasses the traditional wp-login.php and goes right for logging in via API.” This was precisely the case with the intense load on Ramones this afternoon.

Tim has started collecting snippets of code in our internal documentation, like the one below, that we can just add to the .htaccess file in the affected WordPress install to block all calls to xmlrpc.php. Below is the code snippet we copied into .htaccess this afternoon that brought the load back down almost immediately. Hope you find it helpful.

1  <IfModule mod_setenvif.c>
2 <Files xmlrpc.php>
3    BrowserMatch "Poster" allowed
4    BrowserMatch "WordPress" allowed
5    BrowserMatch "Windows Live Writer" allowed
6    BrowserMatch "wp-iphone" allowed
7    BrowserMatch "wp-android" allowed
8    BrowserMatch "wp-windowsphone" allowed
9 
10    Order Deny,Allow
11    Deny from All
12    Allow from env=allowed
13  </Files>
14 </IfModule>
15 
16 ErrorDocument 403 "Access Denied"