Sneaky Hackers: How I Fixed the xmlrpc.php Problem

References:

Recently I noticed a flood of xmlrpc.php POSTs in my Apache access_log for a new WordPress site just deployed, using a Bitnami image on AWS Lightsail. Basically it was flooding the site a few times every second! Eventually it gets overloaded and shuts down Apache.

xmlrpc access log
xmlrpc access log

After doing a bit of research, aka… I checked Google, I learned this is a known problem. In a nutshell, hackers can use xmlrpc.php for botnets, brute force attacks, etc. Although there is some value with xmlrpc.php within WordPress (pingbacks, etc), I was not using that functionality.

I addressed the issue with the iThemes Security plugin. Easy to install and configure, it only took a few minutes to make the site much more secure, including two-factor authentication, brute-force login attempt lockout, etc.

iThemes Security
iThemes Security

For the xmlrpc issue, be sure to go into Settings -> Advanced -> API Access – XML-RPC – select Disable XML-RPC, and also for REST-API -> select Restricted Access.

Disable XML-RPC
Disable XML-RPC

Within only a couple days, the plugin has already locked out a few bad IPs attempting brute force attacks. No problems with the XMLRPC floods since, fingers crossed.

Quick PHP Variable Substitution Example

Here is a quick example of PHP variable substitution:

<?php echo 2 + 2;
  $myname = 'Perry';
?>
		
<h1>This page is all about <?php echo $myname ?></h1>
<?php echo 5 * 5 ?>
<h2>All About <?php echo $myname ?></h2>

The above code snippet assigns ‘Perry’ to the variable $myname, and then uses that variable in the h1 and h2 heading lines.