DirectAdmin Knowledge Base and Support

DirectAdmin is a web panel for a simple administration of both virtual and dedicated servers. DirectAdmin is faster, safe and more powerful than any other CP. And we know how to customize and support it.

How to block access to xmlrpc.php serverwide on Directadmin?

| 00:00:00 09.04.2019

Attacks on WordPress XML-RPC are very common nowadays. Numerous and continuous POST requests to xmlrpc.php script might produce significant server load and it will dramatically effect browsing experience of all other users.

the main weaknesses associated with XML-RPC are: Brute force attacks. Attackers try to login to WordPress using xmlrpc.php.

Use-case

  • DirectAdmin, the hosting panel
  • Apache, NGINX or Nginx+Apache, the web-server(s)
  • 2+ WordPress sites under an attack to xmlrpc.php


Why is that?

If you host many WordPress sites on one server, then their chances to get a server down get much higher.

With 1, 2, probably 10 sites it is OK to update .htaccess of each site, but if you have more sites, then to keep the .htaccess file updated might become not a trivial task. And here we can use Directadmin templates for Apache to block all requests to all sites at once.

So, now we know, the main weaknesses associated with XML-RPC are: Brute force attacks. Attackers try to login to WordPress using xmlrpc.php. But...


What is XML-RPC?

XML-RPC on WordPress is actually an API or "application program interface". 

It gives developers who make mobile apps, desktop apps and other services the ability to talk to your WordPress site. 

The XML-RPC API that WordPress provides gives developers a way to write applications (for you) that can do many of the things that you can do when logged into WordPress via the web interface. These include:

  • Publish a post
  • Edit a post
  • Delete a post.
  • Upload a new file (e.g. an image for a post)
  • Get a list of comments
  • Edit comments


Block attacks with DirectAdmin + Apache?

The hosting panel DirectAdmin uses templates for Apache, Nginx and other services which are managed by it. Templates once modified for our needs will effect all existing and newly created virtual hosts for our sites. So let's do it.

A root level access over SSH is required. Once connected to a server console as root run the following commands:

cd /usr/local/directadmin/data/templates/custom/
touch virtual_host2.conf.CUSTOM.4.post virtual_host2_secure.conf.CUSTOM.4.post 
touch virtual_host2_secure_sub.conf.CUSTOM.4.post virtual_host2_sub.conf.CUSTOM.4.post
chmod 644 virtual_host2.conf.CUSTOM.4.post virtual_host2_secure.conf.CUSTOM.4.post 
chmod 644 virtual_host2_secure_sub.conf.CUSTOM.4.post virtual_host2_sub.conf.CUSTOM.4.post

Here we changed directory and created 4 empty files, which we need to open in an editor (one-by-one) and populate with the following directives:

<Location ~ "/xmlrpc.php">
    Order allow,deny
    Deny from all
    ErrorDocument 403 "Sorry, you are not allowed to view this page!"
</Location>

As soon as we complete with the 1 template, let's say it is virtual_host2.conf.CUSTOM.4.post, we can copy its content to the other files:

cp -p virtual_host2.conf.CUSTOM.4.post virtual_host2_secure.conf.CUSTOM.4.post
cp -p virtual_host2.conf.CUSTOM.4.post virtual_host2_secure_sub.conf.CUSTOM.4.post
cp -p virtual_host2.conf.CUSTOM.4.post virtual_host2_sub.conf.CUSTOM.4.post

Now we need to apply changes and re-generate configs for all existing virtual hosts. Run this:

cd /usr/local/directadmin/custombuild/
./build rewrite_confs

After all configs are re-generated make sure Apache started, and try to open the script in a browser: http://www.domain.com/xmlrpc.php

If all is done correct you will see "Sorry, you are not allowed to view this page!".


Block attacks with NGINX?

For nginx create the following files:

cd /usr/local/directadmin/data/templates/custom/
touch nginx_server.conf.CUSTOM.4.post nginx_server_secure.conf.CUSTOM.4.post 
touch nginx_server_secure_sub.conf.CUSTOM.4.post nginx_server_sub.conf.CUSTOM.4.post
chmod 644 nginx_server.conf.CUSTOM.4.post nginx_server_secure.conf.CUSTOM.4.post
chmod 644 nginx_server_secure_sub.conf.CUSTOM.4.post nginx_server_sub.conf.CUSTOM.4.post

Here we changed directory and created 4 empty files, which we need to open in an editor (one-by-one) and populate with the following directives:

location =/xmlrpc.php 
{
    deny all;
}

As soon as we complete with the 1 template, let's say it is nginx_server.conf.CUSTOM.4.post, we can copy its content to the other files:

cp -p nginx_server.conf.CUSTOM.4.post nginx_server_secure.conf.CUSTOM.4.post
cp -p nginx_server_secure.conf.CUSTOM.4.post nginx_server_secure_sub.conf.CUSTOM.4.post
cp -p nginx_server_secure_sub.conf.CUSTOM.4.post nginx_server_sub.conf.CUSTOM.4.post

Now we need to apply changes and re-generate configs for all existing virtual hosts. Run this:

cd /usr/local/directadmin/custombuild/
./build rewrite_confs

After all configs are re-generated make sure nginx started, and try to open the script in a browser: http://www.domain.com/xmlrpc.php

If all is done correct you will see a 403 error: "403 Forbidden".


Source links:

About Us
We are a team of professionals, and specialize in installation, configuring and managing of remote virtual and dedicated servers powered by Linux/Unix-like OS with DirectAdmin. We support various sets of software, including web-servers Apache, Nginx; internet domain name servers Bind, PowerDNS; mail-servers with POP3, IMAP and SMTP, FTP-servers, etc. After years of working through the most complex server challenges our team has gathered valuable experience and universal solutions suitable for everyday tasks. We are here to lend you a helping hand and take care of your servers in order to let you have enough time to do more of what you love.




All of the information and data on this site is for informational purposes only and is provided for the convenience of the user.
Powered by: Amiro.CMS - Free edition