This is an old revision of the document!

How to block xmlrpc.php bot attack?

Your server may experience heavy hits from a bot named [http://law.di.unimi.it/BUbiNG.html#wc|BUbiNG]. This may have caused a massive load spike in the server. How can we deny that user agent globally?

An easy solution is to use a rewrite rule to detect the user-agent, then set environment with action [E=blockbot]. It will drop direct connection from that client IP.

Example 1

For example, add the following to the .htaccess of the test.com domain. 

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} "BUbiNG"
RewriteRule .* - [E=blockbot:1]

To verify, you can run: 

curl -A "BUbiNG" test.com

If your rules need further debugging, you can enable rewrite log to check.

Example 2

One a server after configuring cpanel piped logging to push entries to /usr/local/apache/logs/error_log, user can see tons of 404 File not found [/var/www/html/xmlrpc.php] coming through. 404 will not trigger the LSWS WordPress protection feature. The requests look like being processed by the default vhost. How to do them?

While you should locate the virtual host serving the requests, add vhost level rewrite rule to drop the connection using “E=blockbot”. 

RewriteRule ^/xmlrpc.php - [E=blockbot:1]

Do not apply the above at server level since it will block everyone accessing xmlrpc.php globally.

  • Admin
  • Last modified: 2018/03/29 16:01
  • by Jackson Zhang