How to block access to xmlrpc.php serverwide on Directadmin?

Attacks on WordPress XML-RPC are very common nowadays. Numerous and continuous POST requests to xmlrpc.php script might produce significant server load and it will dramatically effect browsing experience of all other users.

Use-case

• DirectAdmin, the hosting panel
• Apache, NGINX or Nginx+Apache, the web-server(s)
• 2+ WordPress sites under an attack to xmlrpc.php

Why is that?

If you host many WordPress sites on one server, then their chances to get a server down get much higher.

With 1, 2, probably 10 sites it is OK to update .htaccess of each site, but if you have more sites, then to keep the .htaccess file updated might become not a trivial task. And here we can use Directadmin templates for Apache to block all requests to all sites at once.

So, now we know, the main weaknesses associated with XML-RPC are: Brute force attacks. Attackers try to login to WordPress using xmlrpc.php. But...

What is XML-RPC?

XML-RPC on WordPress is actually an API or "application program interface". 

It gives developers who make mobile apps, desktop apps and other services the ability to talk to your WordPress site. 

The XML-RPC API that WordPress provides gives developers a way to write applications (for you) that can do many of the things that you can do when logged into WordPress via the web interface. These include:

• Publish a post
• Edit a post
• Delete a post.
• Upload a new file (e.g. an image for a post)
• Get a list of comments
• Edit comments

Block attacks with DirectAdmin + Apache

The hosting panel DirectAdmin uses templates for Apache, Nginx and other services which are managed by it. Templates once modified for our needs will effect all existing and newly created virtual hosts for our sites. So let's do it.

A root level access over SSH is required. Once connected to a server console as root run the following commands:

cd /usr/local/directadmin/data/templates/custom/
touch virtual_host2.conf.CUSTOM.4.post virtual_host2_secure.conf.CUSTOM.4.post 
touch virtual_host2_secure_sub.conf.CUSTOM.4.post virtual_host2_sub.conf.CUSTOM.4.post
chmod 644 virtual_host2.conf.CUSTOM.4.post virtual_host2_secure.conf.CUSTOM.4.post 
chmod 644 virtual_host2_secure_sub.conf.CUSTOM.4.post virtual_host2_sub.conf.CUSTOM.4.post

Here we changed directory and created 4 empty files, which we need to open in an editor (one-by-one) and populate with the following directives:

<Location ~ "/xmlrpc.php">
    Order allow,deny
    Deny from all
    ErrorDocument 403 "Sorry, you are not allowed to view this page!"
</Location>

As soon as we complete with the 1 template, let's say it is virtual_host2.conf.CUSTOM.4.post, we can copy its content to the other files:

cp -p virtual_host2.conf.CUSTOM.4.post virtual_host2_secure.conf.CUSTOM.4.post
cp -p virtual_host2.conf.CUSTOM.4.post virtual_host2_secure_sub.conf.CUSTOM.4.post
cp -p virtual_host2.conf.CUSTOM.4.post virtual_host2_sub.conf.CUSTOM.4.post

Now we need to apply changes and re-generate configs for all existing virtual hosts. Run this:

cd /usr/local/directadmin/custombuild/
./build rewrite_confs

After all configs are re-generated make sure Apache started, and try to open the script in a browser: http://www.domain.com/xmlrpc.php

If all is done correct you will see "Sorry, you are not allowed to view this page!".

Block attacks with NGINX

For nginx create the following files:

cd /usr/local/directadmin/data/templates/custom/
touch nginx_server.conf.CUSTOM.4.post nginx_server_secure.conf.CUSTOM.4.post 
touch nginx_server_secure_sub.conf.CUSTOM.4.post nginx_server_sub.conf.CUSTOM.4.post
chmod 644 nginx_server.conf.CUSTOM.4.post nginx_server_secure.conf.CUSTOM.4.post
chmod 644 nginx_server_secure_sub.conf.CUSTOM.4.post nginx_server_sub.conf.CUSTOM.4.post

Here we changed directory and created 4 empty files, which we need to open in an editor (one-by-one) and populate with the following directives:

location =/xmlrpc.php 
{
    deny all;
}

As soon as we complete with the 1 template, let's say it is nginx_server.conf.CUSTOM.4.post, we can copy its content to the other files:

cp -p nginx_server.conf.CUSTOM.4.post nginx_server_secure.conf.CUSTOM.4.post
cp -p nginx_server_secure.conf.CUSTOM.4.post nginx_server_secure_sub.conf.CUSTOM.4.post
cp -p nginx_server_secure_sub.conf.CUSTOM.4.post nginx_server_sub.conf.CUSTOM.4.post

Now we need to apply changes and re-generate configs for all existing virtual hosts. Run this:

cd /usr/local/directadmin/custombuild/
./build rewrite_confs

After all configs are re-generated make sure nginx started, and try to open the script in a browser: http://www.domain.com/xmlrpc.php

If all is done correct you will see a 403 error: "403 Forbidden".

Block attacks with OpenLiteSpeed

For OpenLiteSpeed create the following file:

cd /usr/local/directadmin/data/templates/custom/
touch openlitespeed_vhost.conf.CUSTOM.5.post
chown diradmin:diradmin openlitespeed_vhost.conf.CUSTOM.5.post

Here we changed directory and created 1 empty file, which we need to open in an editor and populate with the following directives:

RewriteRule ^/(xmlrpc|wp-trackback)\.php - [F,L,NC]

Now we need to apply changes and re-generate configs for all existing virtual hosts. Run this:

cd /usr/local/directadmin/custombuild/
./build rewrite_confs

After all configs are re-generated make sure OpenLiteSpeed started, and try to open the script in a browser: http://www.domain.com/xmlrpc.php

If all is done correct you will see a 403 error: "403 Forbidden".

Source links:

• Directadmin page describing the used here templates: https://www.directadmin.com/features.php?id=2158
  
• A page describing the XML-RPC vulnerability: https://medium.com/@the.bilal.rizwan/wordpress-xmlrpc-php-common-vulnerabilites-how-to-exploit-them-d8d3c8600b32
  
• OpenLiteSpeed: Rewrite rules in native format within virtualHost: https://forum.openlitespeed.org/threads/rewrite-rules-in-native-format-within-virtualhost.3773/