8 Tips to Make Your Wordpress Secure and avoid XML-RPC Attack
-
Eric Wei
- 5 Min To Read
- 16 Sep, 2021
In this post, we will provide some tips to protect your WordPress and avoid XML-RPC attacks and explore how to use some open-source solutions and plugins to protect your WordPress.
WordPress is secure but open-source plugins and themes make it become vulnerable to hacker attempts. Anyone can see the source codes of your plugins or themes, so it’s easy to find code vulnerabilities and attack your website by sending a high volume of HTTP requests in a short period of time.
For instance, simply make a lot of requests to /xmlrpc.php on your WordPress Host. Your website will be easily attacked by Brute force attacks via XML-RPC.
Unfortunately, setting a network firewall properly can not save you to solve this problem.
Instead, you need to use a Web Application Firewall to protect WordPress or set up rules on Apache. Because this attack coming from PORT 80 or 433 will be bypassed network firewall policies.
XML-RPC Attack
XML-RPC on WordPress is actually an API that allows developers who make 3rd party application and services the ability to interact to your WordPress site. The XML-RPC API of WordPress provides several functionalities including publish, edit, delete, a post, upload a new file, get a list of comments, edit comments.
I have set up WordPress on Lighsail on AWS to achieve high performance and availability but I found lots of security problems in vulnerable plugins.
Once I make my WordPress public, my WordPress has a high load of CPU utilization.
After checking incoming logs on firewall, I found the cause of this problem was Brute-Force XML-RPC Attack.
Below we will show you some tips to protect your WordPress in a cost effective way.
8 Tips to protect WordPress
1. Disable XML-RPC Attack
You can install any WAF to disable XML-RPC Attack or simply set up a policy on Apache at .htaccess as below
# .htaccess
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>
2. Hide the Login URL
Install WPS Hide Login and hide the default login URL of WordPress.
Because there are lots of malicious hackers using tool to find your login page of WordPress and trying to use Brute-force attack to break the Password with Admin user account.
You had better to change the login URL as a very special and unique string, not easy to guess.
3. Restrict Login Attempts
If a hacker found your login page, he would try to guess the password to break your website.
It’s recommended to restrict the login attempts to as minimal as possible.
If he failed more than 3 times, then block his IP to access.
4. Disable wb-cron.php
This file usually exists under the root of the WordPress site: /wp-cron.php
By default, the wp-cron.php is called on every page load (anytime a client requests any WordPress page), which on high-traffic sites can cause problems (DoS). Also, a hacked can make a lot of GET requests to /wp-cron.php on your WordPress Host to try invoking some scripts.
To completely remove this potential risk, it is recommended to disable Wp-Cron as below.
vim wp-config.php
define('DISABLE_WP_CRON', true);
5. Regularly update and scan plugins and themes
This sounds like a tedious job to regularly check and update your plugins and themes.
But you have to do it anyway. Because most of the vulnerabilities or malware attacks coming from depreciated plugins, themes, or WordPress.
You can Install WPS Scan to run a cron job to regularly check your plugins. Once you found any plugins needed to upgrade, update them immediately.
6. Remove Admin User and strength Password
Don’t forget to remove the default user as admin or administrator on WordPress. This can reduce the risk of being attacked by a Brute-force Attack.
Also, create a new account as the administrator and strength your password, and make it hard to guess.
7. Install and Setup Web Application Firewall
There are tons of Web Application Firewalls over there. But how to choose a Web Application Firewall (WAF)?
We will provide some WAFs that are useful for your reference.
NinjaFirewall (WP Edition) – Advanced Security Plugin and Firewall
Pros:
- the free version is very powerful including all the features to protect your WordPress
- you can easily check access logs
Cons:
- settings may be hard for someone who has limited knowledge of security
Wordfence Security – Firewall & Malware Scan
Pros:
- fancy admin UI, easy to use
- cover all the necessary features.
- access logs are very easy to understand
Cons:
-
Cannot completely protect XML-RPC Attack
Because Wordfence will detect someone is attacking your website and take actions to block his IP. This won’t completely avoid XML-RPC Attack but will take computing power and keep your server’s CPU utilization running in a high load.
Sucuri Security – Auditing, Malware Scanner and Security Hardening
Pros:
- fancy admin UI, easy to use
- cover all the necessary features.
Cons:
- you need to pay commercial version to include some important features.
8. Validate WordPress in OWASP ZAP
When you set up the WAF and network firewall properly, you should install OWASP ZAP and run OWAP-10 Attacks on your WordPress.
This can help you to better understand how secure your website is and find problematic plugins or PHP, CSS, JavaScript files. Then you can take actions to fix them.
Conclusion
To make WordPress secure is not hard but time-consuming. You need to regularly check and update plugins and themes. In addition, it’s required knowledge to set it up WAF properly and to regularly run the pen-testing tool to validate your WordPress.
Of course, you can use 3rd Party service to manage your WordPress or reply on some professionals to maintain it.
Another option to make your lives become easier is to use JAMStack instead of WordPress.
You can refer to How to build high performance and security website with JAMStack and Hugo?
You might be interested in