Have you noticed that once you have a security plugin like Wordfence installed (or if you have bought one of our blog products where we have all of this pre-configured), that you get a number of e-mails with this subject line:
[Wordfence Alert] www.yourdomain.com User locked out from signing in
And if you go into the e-mail, it would go something like this:
This email was sent from your website "Wireplugged" by the Wordfence plugin at Sunday 30th of May 2021 at 04:56:51 AM
The Wordfence administrative URL for this site is: https://wireplugged.com/wp-admin/network/admin.php?page=Wordfence
A user with IP address 184.108.40.206 has been locked out from signing in or using the password recovery form for the following reason: Used an invalid username 'admin' to try to sign in.
The duration of the lockout is 2 months.
User IP: 220.127.116.11
User hostname: 18.104.22.168.bc.googleusercontent.com
User location: Council Bluffs, Iowa, United States
You know, if you get just a handful of these e-mails (like 2 or 3 per day), then, for the most part, you could just ignore them. You’re getting this e-mail because Wordfence is doing a fantastic job of blocking malicious login attempts.
But what if you’re getting hit a number of times a day? For example, something like this:
That’s about 20+ hits in 20 minutes. And all of them are from different places all over the world, who doesn’t even have an account on the domain. These are automated programs (bots) trying to gain access to the website through a technique called “Brute-force”.
And this could happen to your site eventually.
As I said, Wordfence does a pretty good job of handling it and informs you that it has been handled. You could also set the lockout duration to 2 months, and that would take care of each of those specific IP addresses.
Why does this happen?
WordPress has a file called xmlrpc.php which, in the early days, had a lot of use. The function of this file is to open up WordPress’s functionalities to external applications (for example, posting to WordPress by e-mail, mobile apps, etc). Nowadays, after the introduction of WordPress REST API (since version 4.4), xmlrpc.php is made available for backward compatibility and is more of a security risk.
What can xmlrpc.php be used for? Some of the common uses for external applications are:
- Edit/Publish/Delete posts
- Upload files (eg: Image files for a post)
- Get a list of comments
- Edit and modify comments
So install Wordfence, set it, and forget it?
Yes, and No.
The problem that most of us don’t realize is the resources this uses on your server.
Even though Wordfence is handling these, all these are hitting your server first to reach your domain, before Wordfence can block it. This eats up a lot of your bandwidth, CPU and Memory, and could slow down your server such that even legitimate users find it difficult to access your website.
But why me? Am I hit by malware?
The modus operandi of this attack, as I understand, is this:
- Login to your domain or server using the Bruteforce method
- Add malicious code to your server / website or through plugin / theme vulnerabilities
- Join your domain to their ranks of infected websites and run their programs through your domain, even bruteforcing other websites like they did yours
If you’re still getting hit by bots, then chances are that you are not yet infected; but in any case, set Wordfence Scan settings to High Sensitivity, and run a scan on your website. If there are any plugins/themes or even the WordPress core that is infected, it will be displayed in the results.
So how do I block this permanently?
The quickest way is to disable xmlrpc.php. There are plugins that can do that for you in just a few clicks. But the bots will keep trying, and hits on your server will continue.
The smart way is to not let them reach your server at all. How do you do that?
I use Cloudflare, and the following settings worked well for me. Let me show you how.
What is Cloudflare?
Cloudflare is a website that provides, among its other features, CDN delivery and DDoS mitigation services and acts as a “reverse proxy” for your domain.
What is a “reverse proxy”, you ask? A reverse proxy is basically a “middleman” which routes client requests to your domain. Simply put, it will “mask” your domain’s IP address with another IP address so that no one will ever know what your domain’s true IP address is.
Along with masking your IP address, Cloudflare can also block DDoS attacks (attacks like this one), by blocking such requests from reaching your server.
How do I set up my website on Cloudflare?
Some hosts like LiquidWeb will connect your domain to Cloudflare through their interface. But for others, you’ll need to do it manually.
This step could be a bit technical for some people, so if you need this done without getting your hands dirty, you may want to hire technical help. Or you could follow the steps below:
- Create an account in Cloudflare
- Add your domain to Cloudflare, and click Next.
- There are a number of paid plans, but you can choose the Free plan for this.
- You’ll reach a page where you’ll be given two nameserver addresses. Make a note of these.
That was the easy part. Now comes the technical bit.
- Next, login to your current domain service provider (Godaddy, Namecheap, etc)
- Go to the section where you manage the Nameservers for the domain you added to Cloudflare.
- Here, replace the name servers with the two nameserver addresses that Cloudflare gave you, and save settings.
It will take a while for this change to happen (DNS updates could sometimes take 24 – 48 hours, but sometimes even quickly). You can log back into Cloudflare later to check if the change is completed and Cloudflare is able to manage your domain.
Ok, I did that. Now how do I block these pesky bots?
Let me show you how it’s done, with some results.
Now, there are 2 things we need to do in Cloudflare.
- Disable access to XMLRPC.php
- Conditionally block access to wp-login.php
I did this while the attack was underway, and as you can see from the screenshots, no further alerts on that day.
User Locked Out From Signing In – So, What Should I do to Fix This?
Disable access to XMLRPC.php
- Login to Cloudflare, and select your domain.
- Click the Firewall Button
- Select the “Firewall Rules” tab.
In the free account of Cloudflare, you can set up 5 free rules. For this, we’ll need only 1.
- Click on the Create a Firewall Rule button.
- Give it a name to identify (Eg: Block XMLRPC Bots)
- Under the Field section dropdown, select URI Path.
- Set the Operator to “contains”.
- Set the value to “/xmlrpc.php” (without the quotes)
- Click on AND (make sure it’s not OR)
- Here, set the Field section dropdown to Request Method.
- Set the Operator to “equals”.
- Set the Value dropdown to POST.
- Scroll down, and select the Action. You can choose to completely block access (choose Block), or present the bot with a Captcha challenge.
- Save the changes.
In simple words, you’ve just told Cloudflare that for this domain, if a bot tries to access the file “xmlrpc.php”, reply with a Captcha.
And why POST? If you try accessing xmlrpc.php on your domain directly through a browser (Type in yourdomain.com/xmlrpc.php), it will tell you that only POST requests are accepted by this file.
Conditionally block access to wp-login.php
The other part of the Bruteforce attack that we need to block is the direct hit on wp-login.php. Hackers are loaded with username/password combinations they swipe from vulnerable sites (or bought from third parties). They try out common username/password combinations (“admin” is a very common username, and sometimes the passwords used by people are as simple as “12345” which is easy to guess), on the list of target servers. If a domain uses a combination in their list for admin access, they’ll be able to log in, and possibly create another admin account, modify posts and pages, etc.
To block bot attacks on wp-login.php, you need to set a Page Rule. Cloudflare allows up to 3 page rules for free accounts. To set this, you can do the following:
- In Cloudflare, click on the Rules button on the top.
- Click on Create Page Rule.
- In the If the URL matches tab, add your domain in the following format:
- If you use subdomains, add the domain in this form: http://*.yourdomain.com/wp-login.php* (Notice the “.” after http://*)
- For the first setting, choose Browser Integrity Check, and set it to On.
- Click on Add a Setting. Here, choose Security Level and set it to I’m Under Attack.
- Save the Page Rule.
That’s it! After setting this up, I had 1 bot hit on the URL in 2 days. Very effective!