{"id":9349,"date":"2022-04-21T09:22:36","date_gmt":"2022-04-21T09:22:36","guid":{"rendered":"https:\/\/cpanelplesk.com\/wp62\/?p=9349"},"modified":"2022-04-21T09:22:36","modified_gmt":"2022-04-21T09:22:36","slug":"how-to-recover-prevent-apache-web-server-from-xmlrpc-attacks","status":"publish","type":"post","link":"https:\/\/cpanelplesk.com\/wp62\/how-to-recover-prevent-apache-web-server-from-xmlrpc-attacks\/","title":{"rendered":"How to recover & prevent (Apache web server) from XMLRPC attacks"},"content":{"rendered":"

High server load is sometimes reported in cPanel, Plesk, and DirectAdmin servers with WordPress websites, with “xmlrpc.php” showing up as the top CPU. xmlrpc.php is a file used for remote publishing and ping-back tracking on WordPress websites. Botnets target this file in order to launch brute force assaults on the targeted website. This puts a lot of strain on the server.<\/span><\/p>\n

We assist web hosts, VPS providers, and cloud providers in preventing such assaults and ensuring high service availability. Our web server management services include server load mitigation and attack mitigation. We’ll go through how to recover from an xmlrpc.php attack and how to avoid it in this article.<\/span><\/p>\n

How do you recover from a heavy load?<\/b><\/h3>\n

When the server is overloaded, the first concern is to get everything back to normal. You’ll need to block access to xmlrpc.php at the Apache connection level to accomplish this. By adding the following directive to the Apache configuration file and restarting the server, you may achieve this:<\/span><\/p>\n

\n
Files ~ \"xmlrpc.php\"\r\n \u00a0Order allow,deny<\/span>\r\n \u00a0Deny from all<\/span>\r\nFiles\r\n<\/span><\/pre>\n<\/div>\n
How can you prevent xmlrpc.php from being abused?<\/strong><\/h3>\n
Disabling xmlrpc.php access is only a temporary fix, as many websites rely on it to track blog ping-backs and do remote posting. As a result, the approach is to stop attacks based on a shared signature. The following is an example of an xmlrpc.php attack log:<\/span><\/p>\n
\n
37.203.208.49 - - [21\/Jan\/2015:15:37:54 -0500] \"POST \/xmlrpc.php HTTP\/1.0\" 503 4859\r\n37.203.208.49 - - [21\/Jan\/2015:15:37:55 -0500] \"POST \/xmlrpc.php HTTP\/1.0\" 503 4859<\/span>\r\n37.203.208.49 - - [21\/Jan\/2015:15:37:57 -0500] \"POST \/xmlrpc.php HTTP\/1.0\" 503 4859<\/span>\r\n37.203.208.49 - - [21\/Jan\/2015:15:38:02 -0500] \"POST \/xmlrpc.php HTTP\/1.0\" 503 4859<\/span>\r\n37.203.208.49 - - [21\/Jan\/2015:15:38:11 -0500] \"POST \/xmlrpc.php HTTP\/1.0\" 503 4861<\/span>\r\n37.203.208.49 - - [21\/Jan\/2015:15:38:13 -0500] \"POST \/xmlrpc.php HTTP\/1.0\" 503 4861<\/span>\r\n37.203.208.49 - - [21\/Jan\/2015:15:38:18 -0500] \"POST \/xmlrpc.php HTTP\/1.0\" 503 4861<\/span><\/pre>\n<\/div>\n
A genuine request will have a referrer field, whereas assaults will typically not have one. As a result, such requests can be blocked using a firewall rule. This is when Mod security comes in helpful. To the mod security rule set, add the following:<\/p>\n
\n
#Block requests to xmlrpc.php with no referring URL\r\nSecRule REQUEST_METHOD \"POST\" \"deny,status:401,id:5000900,chain,msg:'xmlrpc request blocked, no referer'\"\r\nSecRule &HTTP_REFERER \"@eq 0\" \"chain\"\r\nSecRule REQUEST_URI \"xmlrpc.php\"<\/pre>\n<\/div>\n
Installing a plugin like “xmlrpc assaults blocker” on dedicated servers with a small number of WordPress sites may be easier and more versatile.<\/em><\/p>\n
 <\/p>\n
 <\/p>\n","protected":false},"excerpt":{"rendered":"
High server load is sometimes reported in cPanel, Plesk, and DirectAdmin servers with WordPress websites, with “xmlrpc.php” showing up as the top CPU. xmlrpc.php is a file used for remote publishing and ping-back tracking on WordPress websites. Botnets target this file in order to launch brute force assaults on the targeted website. This puts a […]<\/p>\n
Continue Reading…<\/a><\/p>\n","protected":false},"author":19,"featured_media":9447,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1,4,3],"tags":[],"class_list":["post-9349","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cpanel","category-general","category-plesk"],"yoast_head":"\nHow to recover & prevent (Apache web server) from XMLRPC attacks - cPanel Plesk<\/title>\n<meta name=\"description\" content=\"In cPanel, Plesk, and DirectAdmin servers with WordPress, these are the procedures we take to recover from and avoid an xmlrpc.php assault.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/cpanelplesk.com\/wp62\/how-to-recover-prevent-apache-web-server-from-xmlrpc-attacks\/\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:title\" content=\"How to recover & prevent (Apache web server) from XMLRPC attacks - cPanel Plesk\" \/>\n<meta name=\"twitter:description\" content=\"In cPanel, Plesk, and DirectAdmin servers with WordPress, these are the procedures we take to recover from and avoid an xmlrpc.php assault.\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/cpanelplesk.com\/wp62\/wp-content\/uploads\/2022\/04\/attack.png\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"samama\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/cpanelplesk.com\/wp62\/how-to-recover-prevent-apache-web-server-from-xmlrpc-attacks\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/cpanelplesk.com\/wp62\/how-to-recover-prevent-apache-web-server-from-xmlrpc-attacks\/\"},\"author\":{\"name\":\"samama\",\"@id\":\"https:\/\/cpanelplesk.com\/wp62\/#\/schema\/person\/b5c17eff2915a029433dfd2d5a6e8465\"},\"headline\":\"How to recover & prevent (Apache web server) from XMLRPC attacks\",\"datePublished\":\"2022-04-21T09:22:36+00:00\",\"dateModified\":\"2022-04-21T09:22:36+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/cpanelplesk.com\/wp62\/how-to-recover-prevent-apache-web-server-from-xmlrpc-attacks\/\"},\"wordCount\":308,\"publisher\":{\"@id\":\"https:\/\/cpanelplesk.com\/wp62\/#\/schema\/person\/c78ae1cf9451a09592fb9697d69c0c13\"},\"image\":{\"@id\":\"https:\/\/cpanelplesk.com\/wp62\/how-to-recover-prevent-apache-web-server-from-xmlrpc-attacks\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/cpanelplesk.com\/wp62\/wp-content\/uploads\/2022\/04\/attack.png\",\"articleSection\":[\"Cpanel\",\"General\",\"Plesk\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/cpanelplesk.com\/wp62\/how-to-recover-prevent-apache-web-server-from-xmlrpc-attacks\/\",\"url\":\"https:\/\/cpanelplesk.com\/wp62\/how-to-recover-prevent-apache-web-server-from-xmlrpc-attacks\/\",\"name\":\"How to recover & prevent (Apache web server) from XMLRPC attacks - cPanel Plesk\",\"isPartOf\":{\"@id\":\"https:\/\/cpanelplesk.com\/wp62\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/cpanelplesk.com\/wp62\/how-to-recover-prevent-apache-web-server-from-xmlrpc-attacks\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/cpanelplesk.com\/wp62\/how-to-recover-prevent-apache-web-server-from-xmlrpc-attacks\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/cpanelplesk.com\/wp62\/wp-content\/uploads\/2022\/04\/attack.png\",\"datePublished\":\"2022-04-21T09:22:36+00:00\",\"dateModified\":\"2022-04-21T09:22:36+00:00\",\"description\":\"In cPanel, Plesk, and DirectAdmin servers with WordPress, these are the procedures we take to recover from and avoid an xmlrpc.php assault.\",\"breadcrumb\":{\"@id\":\"https:\/\/cpanelplesk.com\/wp62\/how-to-recover-prevent-apache-web-server-from-xmlrpc-attacks\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/cpanelplesk.com\/wp62\/how-to-recover-prevent-apache-web-server-from-xmlrpc-attacks\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/cpanelplesk.com\/wp62\/how-to-recover-prevent-apache-web-server-from-xmlrpc-attacks\/#primaryimage\",\"url\":\"https:\/\/cpanelplesk.com\/wp62\/wp-content\/uploads\/2022\/04\/attack.png\",\"contentUrl\":\"https:\/\/cpanelplesk.com\/wp62\/wp-content\/uploads\/2022\/04\/attack.png\",\"width\":1024,\"height\":538},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/cpanelplesk.com\/wp62\/how-to-recover-prevent-apache-web-server-from-xmlrpc-attacks\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/cpanelplesk.com\/wp62\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"How to recover & prevent (Apache web server) from XMLRPC attacks\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/cpanelplesk.com\/wp62\/#website\",\"url\":\"https:\/\/cpanelplesk.com\/wp62\/\",\"name\":\"cPanel Plesk\",\"description\":\"Blog on famous hosting control panels\",\"publisher\":{\"@id\":\"https:\/\/cpanelplesk.com\/wp62\/#\/schema\/person\/c78ae1cf9451a09592fb9697d69c0c13\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/cpanelplesk.com\/wp62\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\/\/cpanelplesk.com\/wp62\/#\/schema\/person\/c78ae1cf9451a09592fb9697d69c0c13\",\"name\":\"Farooq Omer\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/cpanelplesk.com\/wp62\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/cpanelplesk.com\/wp62\/wp-content\/uploads\/2020\/11\/cpanelplesk.png\",\"contentUrl\":\"https:\/\/cpanelplesk.com\/wp62\/wp-content\/uploads\/2020\/11\/cpanelplesk.png\",\"width\":300,\"height\":44,\"caption\":\"Farooq Omer\"},\"logo\":{\"@id\":\"https:\/\/cpanelplesk.com\/wp62\/#\/schema\/person\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/cpanelplesk.com\/wp62\/#\/schema\/person\/b5c17eff2915a029433dfd2d5a6e8465\",\"name\":\"samama\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/cpanelplesk.com\/wp62\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/5ad71c1d187b45a3c1a68698160b5f6d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/5ad71c1d187b45a3c1a68698160b5f6d?s=96&d=mm&r=g\",\"caption\":\"samama\"},\"url\":\"https:\/\/cpanelplesk.com\/wp62\/author\/samama\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How to recover & prevent (Apache web server) from XMLRPC attacks - cPanel Plesk","description":"In cPanel, Plesk, and DirectAdmin servers with WordPress, these are the procedures we take to recover from and avoid an xmlrpc.php assault.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/cpanelplesk.com\/wp62\/how-to-recover-prevent-apache-web-server-from-xmlrpc-attacks\/","twitter_card":"summary_large_image","twitter_title":"How to recover & prevent (Apache web server) from XMLRPC attacks - cPanel Plesk","twitter_description":"In cPanel, Plesk, and DirectAdmin servers with WordPress, these are the procedures we take to recover from and avoid an xmlrpc.php assault.","twitter_image":"https:\/\/cpanelplesk.com\/wp62\/wp-content\/uploads\/2022\/04\/attack.png","twitter_misc":{"Written by":"samama","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/cpanelplesk.com\/wp62\/how-to-recover-prevent-apache-web-server-from-xmlrpc-attacks\/#article","isPartOf":{"@id":"https:\/\/cpanelplesk.com\/wp62\/how-to-recover-prevent-apache-web-server-from-xmlrpc-attacks\/"},"author":{"name":"samama","@id":"https:\/\/cpanelplesk.com\/wp62\/#\/schema\/person\/b5c17eff2915a029433dfd2d5a6e8465"},"headline":"How to recover & prevent (Apache web server) from XMLRPC attacks","datePublished":"2022-04-21T09:22:36+00:00","dateModified":"2022-04-21T09:22:36+00:00","mainEntityOfPage":{"@id":"https:\/\/cpanelplesk.com\/wp62\/how-to-recover-prevent-apache-web-server-from-xmlrpc-attacks\/"},"wordCount":308,"publisher":{"@id":"https:\/\/cpanelplesk.com\/wp62\/#\/schema\/person\/c78ae1cf9451a09592fb9697d69c0c13"},"image":{"@id":"https:\/\/cpanelplesk.com\/wp62\/how-to-recover-prevent-apache-web-server-from-xmlrpc-attacks\/#primaryimage"},"thumbnailUrl":"https:\/\/cpanelplesk.com\/wp62\/wp-content\/uploads\/2022\/04\/attack.png","articleSection":["Cpanel","General","Plesk"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/cpanelplesk.com\/wp62\/how-to-recover-prevent-apache-web-server-from-xmlrpc-attacks\/","url":"https:\/\/cpanelplesk.com\/wp62\/how-to-recover-prevent-apache-web-server-from-xmlrpc-attacks\/","name":"How to recover & prevent (Apache web server) from XMLRPC attacks - cPanel Plesk","isPartOf":{"@id":"https:\/\/cpanelplesk.com\/wp62\/#website"},"primaryImageOfPage":{"@id":"https:\/\/cpanelplesk.com\/wp62\/how-to-recover-prevent-apache-web-server-from-xmlrpc-attacks\/#primaryimage"},"image":{"@id":"https:\/\/cpanelplesk.com\/wp62\/how-to-recover-prevent-apache-web-server-from-xmlrpc-attacks\/#primaryimage"},"thumbnailUrl":"https:\/\/cpanelplesk.com\/wp62\/wp-content\/uploads\/2022\/04\/attack.png","datePublished":"2022-04-21T09:22:36+00:00","dateModified":"2022-04-21T09:22:36+00:00","description":"In cPanel, Plesk, and DirectAdmin servers with WordPress, these are the procedures we take to recover from and avoid an xmlrpc.php assault.","breadcrumb":{"@id":"https:\/\/cpanelplesk.com\/wp62\/how-to-recover-prevent-apache-web-server-from-xmlrpc-attacks\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/cpanelplesk.com\/wp62\/how-to-recover-prevent-apache-web-server-from-xmlrpc-attacks\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cpanelplesk.com\/wp62\/how-to-recover-prevent-apache-web-server-from-xmlrpc-attacks\/#primaryimage","url":"https:\/\/cpanelplesk.com\/wp62\/wp-content\/uploads\/2022\/04\/attack.png","contentUrl":"https:\/\/cpanelplesk.com\/wp62\/wp-content\/uploads\/2022\/04\/attack.png","width":1024,"height":538},{"@type":"BreadcrumbList","@id":"https:\/\/cpanelplesk.com\/wp62\/how-to-recover-prevent-apache-web-server-from-xmlrpc-attacks\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/cpanelplesk.com\/wp62\/"},{"@type":"ListItem","position":2,"name":"How to recover & prevent (Apache web server) from XMLRPC attacks"}]},{"@type":"WebSite","@id":"https:\/\/cpanelplesk.com\/wp62\/#website","url":"https:\/\/cpanelplesk.com\/wp62\/","name":"cPanel Plesk","description":"Blog on famous hosting control panels","publisher":{"@id":"https:\/\/cpanelplesk.com\/wp62\/#\/schema\/person\/c78ae1cf9451a09592fb9697d69c0c13"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/cpanelplesk.com\/wp62\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/cpanelplesk.com\/wp62\/#\/schema\/person\/c78ae1cf9451a09592fb9697d69c0c13","name":"Farooq Omer","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cpanelplesk.com\/wp62\/#\/schema\/person\/image\/","url":"https:\/\/cpanelplesk.com\/wp62\/wp-content\/uploads\/2020\/11\/cpanelplesk.png","contentUrl":"https:\/\/cpanelplesk.com\/wp62\/wp-content\/uploads\/2020\/11\/cpanelplesk.png","width":300,"height":44,"caption":"Farooq Omer"},"logo":{"@id":"https:\/\/cpanelplesk.com\/wp62\/#\/schema\/person\/image\/"}},{"@type":"Person","@id":"https:\/\/cpanelplesk.com\/wp62\/#\/schema\/person\/b5c17eff2915a029433dfd2d5a6e8465","name":"samama","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cpanelplesk.com\/wp62\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/5ad71c1d187b45a3c1a68698160b5f6d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/5ad71c1d187b45a3c1a68698160b5f6d?s=96&d=mm&r=g","caption":"samama"},"url":"https:\/\/cpanelplesk.com\/wp62\/author\/samama\/"}]}},"_links":{"self":[{"href":"https:\/\/cpanelplesk.com\/wp62\/wp-json\/wp\/v2\/posts\/9349","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cpanelplesk.com\/wp62\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cpanelplesk.com\/wp62\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cpanelplesk.com\/wp62\/wp-json\/wp\/v2\/users\/19"}],"replies":[{"embeddable":true,"href":"https:\/\/cpanelplesk.com\/wp62\/wp-json\/wp\/v2\/comments?post=9349"}],"version-history":[{"count":2,"href":"https:\/\/cpanelplesk.com\/wp62\/wp-json\/wp\/v2\/posts\/9349\/revisions"}],"predecessor-version":[{"id":9351,"href":"https:\/\/cpanelplesk.com\/wp62\/wp-json\/wp\/v2\/posts\/9349\/revisions\/9351"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cpanelplesk.com\/wp62\/wp-json\/wp\/v2\/media\/9447"}],"wp:attachment":[{"href":"https:\/\/cpanelplesk.com\/wp62\/wp-json\/wp\/v2\/media?parent=9349"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cpanelplesk.com\/wp62\/wp-json\/wp\/v2\/categories?post=9349"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cpanelplesk.com\/wp62\/wp-json\/wp\/v2\/tags?post=9349"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}