How to Block xmlrpc.php Bot Attack

Your server may experience heavy hits from a bot named BUbiNG. This may have caused a massive load spike in the server. To prevent further problems, we can deny that user agent globally.

Example 1

An easy solution is to use a rewrite rule to detect the user agent, and then set environment with the action [E=blockbot]. This will drop the direct connection from that client IP.

Add the following to the .htaccess of the domain:

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} "BUbiNG"
RewriteRule .* - [E=blockbot:1]

To verify, you can run:

curl -A "BUbiNG"

If your rules need further debugging, you can enable rewrite log to check.

Example 2

On a server, after configuring cPanel Piped Logging to push entries to /usr/local/apache/logs/error_log, you can see many 404 File not found [/var/www/html/xmlrpc.php] entries coming through. 404 will not trigger the LSWS WordPress protection feature, because the requests look like they're being processed by the default vhost.

Locate the virtual host serving the requests, and add a vhost-level rewrite rule to drop the connection using [E=blockbot].

RewriteRule ^/xmlrpc.php - [E=blockbot:1]

Note: Do not apply the above at the server level since it will block everyone accessing xmlrpc.php globally.

litespeed_wiki/config/xmlrpc.php_bot_attack_block.txt · Last modified: 2018/03/29 19:07 by Lisa Clarke