Block hacker attacks on WordPress’ xmlrpc.php

It you’re getting a ton of POST requests to your WordPress xmlrpc.php file, here’s a quick way to block all the bad ips via iptables. In my case I’m using nginx and php-fpm, but something very similar would also work for apache.

First, recognize the signature. Your access logs will look something like this:

5.135.68.51 - - [13/May/2015:12:14:59 -0400] "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/5.0 (compatible; Googlebot/2.1;  https://www.google.com/bot.html)"
185.61.138.72 - - [13/May/2015:12:14:59 -0400] "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/5.0 (compatible; Googlebot/2.1;  https://www.google.com/bot.html)"
185.11.147.17 - - [13/May/2015:12:14:59 -0400] "POST /xmlrpc.php HTTP/1.0" 404 168 "-" "Mozilla/5.0 (compatible; Googlebot/2.1;  https://www.google.com/bot.html)"
185.11.147.17 - - [13/May/2015:12:14:59 -0400] "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/5.0 (compatible; Googlebot/2.1;  https://www.google.com/bot.html)"
185.62.188.76 - - [13/May/2015:12:15:01 -0400] "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/5.0 (compatible; Googlebot/2.1;  https://www.google.com/bot.html)"
185.62.188.76 - - [13/May/2015:12:15:01 -0400] "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/5.0 (compatible; Googlebot/2.1;  https://www.google.com/bot.html)"
185.62.188.76 - - [13/May/2015:12:15:01 -0400] "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/5.0 (compatible; Googlebot/2.1;  https://www.google.com/bot.html)"
185.61.138.72 - - [13/May/2015:12:15:01 -0400] "POST /xmlrpc.php HTTP/1.0" 404 168 "-" "Mozilla/5.0 (compatible; Googlebot/2.1;  https://www.google.com/bot.html)"
5.135.68.51 - - [13/May/2015:12:15:02 -0400] "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/5.0 (compatible; Googlebot/2.1;  https://www.google.com/bot.html)"
5.135.68.51 - - [13/May/2015:12:15:02 -0400] "POST /xmlrpc.php HTTP/1.0" 404 168 "-" "Mozilla/5.0 (compatible; Googlebot/2.1;  https://www.google.com/bot.html)"

Googlebot will NOT be POSTing your xmlrpc.php like that. Next the trick is to figure out which IP addresses are harassing you. Run this in your terminal:

$> grep xmlrpc /var/log/nginx/access.log | cut -d' ' -f1 | sort | uniq -c | sort -rn | head
  29200 185.11.147.17
  17182 185.62.188.76
  10657 185.61.138.72
   8183 5.135.68.51
   1914 192.227.175.122
   1738 195.154.185.116
   1198 43.252.228.132
    501 205.234.152.218
    155 86.105.212.68
    103 141.138.157.95

Most likely all of these are hackers since it would be unlikely even Jetpack or some other WordPress service would hit your xmlrpc.php that frequently. But you can decide where the cut off should be by adding -n# the the head request above. In my case I chose head -n8 like so:

$> grep xmlrpc /var/log/nginx/access.log | cut -d' ' -f1 | sort | uniq -c | sort -rn | head -n8
  29200 185.11.147.17
  17182 185.62.188.76
  10657 185.61.138.72
   8183 5.135.68.51
   1914 192.227.175.122
   1738 195.154.185.116
   1198 43.252.228.132
    501 205.234.152.218

Sooo …. now you just need to wrap that in a loop that will create the iptable rules to block traffic from the ips:

$> for ip in $(grep xmlrpc /var/log/nginx/access.log | cut -d' ' -f1 | sort | uniq -c | sort -rn | head -n8 | awk '{print $2}'); do iptables -A INPUT -s $ip -j DROP; done

No more hackers.

WordPress Signal/Noise Ratio

I’ve decided to air some grievances about trends in the WordPress community that have me annoyed. Yesterday, I raised the issue of “freemium” plugins in the WordPress Repository. Today I want to bitch about the #wordpress twitter stream. There was a time when you could follow #wordpress and find real people exchanging ideas or asking questions or linking tutorials. It seems now though the community is a victim of it’s own success. To demonstrate my point yesterday I went through the first 50 tweets and broke them down by function:

34 tweets were directly selling something. And example might be

Visual Themify #Builder #WordPress #Plugin True #Drag #Drop #ThemeBuilder Design. Front- and Backend Design https://link/link

The link in the tweet above actually takes you to a hosting company website which is a bit misleading.

23 tweets were soft-selling. By this I mean they were tweets by a company to a blog post that was indirectly promoting their business or products. This is obviously preferable to the direct sell, but it still has some issues. For one thing, the quality of the content leaves much to be desired. I don’t find an article on “building an ecommerce site” that just lists a bunch of super-obvious steps, “First you need a domain, here’s a link to the domain affiliate that I profit from,” to be particularly valuable.

Only 3 articles had no obvious sales angle. This is a pathetic number. What’s worse is that many of the direct-sell tweets are just repeats of each other. At least 8 tweets ultimately linked back to one theme on the Envato Marketplace.

To be fair some of the issue here is without a doubt an issue with Twitter, not WordPress. And It’s hardly reasonable to expect WordPress to somehow curate the hashtag.

My concern though is that it is somewhat indicative of a trend in the WordPress ecosystem: it’s getting increasingly difficult to separate the cream from the crap.

Idea’s on this would be welcome.

Open Thread: Reading your spam email

I decided to read some of my spam email this morning and discovered to my delight that:

  • I received two direct deposits for loans totaling $45k with generous payback terms;
  • I could “put fewer calls on hold” by buying something called Business Phone System … not sure how that works … ;
  • The swimming pool supplies I ordered while being an apartment owner/renter for over a decade are nevertheless ready, curiously from the same company selling “business phone system”
  • I apparently joined a senior dating group which is … AWESOME!; and
  • The million dollar mansion I purchased in Florida is ready a rehab job.

Spammy me sounds like an eclectic guy.