How To Stop WordPress Brute Force Attack on xmlrpc.php

Yesterday one of my sites running WordPress got attacked. I only found out because my VPS provider restarted my server as my server load was climbing over 2.0 throughout the course of 2 hours. Upon investigating, I didn’t see any brute force attacked on the WordPress login page, as expected. Instead, I examined the access log to discover POST requests to a file named xmlrpc.php. This file is used for pingbacks and remote posting and even JetPack uses it. Because it allows remote posting, it serves as a method of authenticating username/password instead of the traditional wp-login page. This was what they were trying to brute force, causing ram to spike to over 2GB and server load to spike past 2.0. How can you prevent this attack? The most effective way for me is to put this in your .htaccess file:

RewriteRule ^xmlrpc\.php$ “http\:\/\/0\.0\.0\.0\/” [R=301,L]

That’s it. It simply redirects requests for this xmlrpc file to a non-existant address: http://0.0.0.0/.

VPS: More Cores The Better?

Short answer? No. It’s actually far worse.

If you’ve been shopping for a new VPS, you’ll likely come across specs for the server like RAM, disk transfer (incorrectly, but often times referred to as ‘bandwidth’), and CPU. When you compare packages and one host offers 4 or 8 vCPUs or core while others offer only 1 or 2 vCPUs, do you automatically go with the larger number of cores? Let me explain why going with more cores is a bad idea.

The whole point of VPS hosting to virtualize a physical server node so many smaller chunks of servers can co-exist. The goal is isolation, first and foremost. Coming from shared hosting, you’ll likely be sick of those who are oversold and other people’s accounts are stealing all the server’s resources. This has come a long way with the advent of CloudLinux, but most people still flock to VPS for the isolation, whether it’s isolation of resources or isolation of software packages. Either way, a VPS is your own server and you can do anything you want.

While the idea of 8 vCPUs sounds enticing as their marketing likely tells you that you can burst up to 8 cores when the server is idle, you’re just one of many who finds this enticing and you immediately sign up and migrate your high-resource website to the VPS. What people don’t seem to comprehend is that CPU steal is a real thing and when you give everyone access to 8 cores, they’re all stealing from each other and the performance of your own VPS becomes very shaky and inconsistent. One point your site is flying and all of a sudden, it’s crawling. No one wants this. Limiting each VPS to only have access to 1 or 2 cores makes the playing field much more fair. An individual VPS cannot burst and steal CPU from others.

After years of using VPS, you’ll come to appreciate the right host that divides up their nodes fairly.

Zappos SEO Bait and Switch

Shame on Zappos and shame on Google for not catching this and knocking them out of #1. While searching for a pair of new shoes I wanted to purchase, I of course went to Zappos first to check if they had them. They didn’t. Checked a few more of my usual stores, nada. Then I proceeded to Google in hopes of stores carrying this particular shoe in stock. Lo-and-behold, the sitting in the number 1 spot is Zappos!

Zappos SEO Bait and Switch

I thought, oh man I must have missed it when I checked. Yes, now I can buy my shoes at the store I purchase all shoes from. I clicked and then…

Zappos Bait and Switch

What the hell, a Zappos search page with my Google query in the search bar? This is classic SEO bait-and-switch. If you notice the Google SERPS, Zappos indicated their TITLE tag was “Chuck Taylor Classic Boot Low Sneaker | Shipped Free at…” and their URL was “www.zappos.com/chuck-taylor-classic-boot-low-sneaker.” This was all indicative of an actual product page where I could purchase the item I was searching for. Instead, they’ve gamed the system to still rank #1 for people searching for shoes they don’t actually carry. Google, let me ask you, isn’t the point of your search algorithm such that people should be able to find what they’re looking for, whether it’s information or ecommerce? But you’re ranking Zappos so high for search terms related to shoes, and the actual Zappos page is absolutely useless. I vote a penalty to be handed out. Zappos is gaming the system, pure and simple.

You may have noticed Sears, which is ranked #2 is doing the same thing, however, they’re at least transparent in their displayed URL so you know beforehand that it’s going to be a search query on their website. Zappos, have you no shame? So desperate for orders, you had to resort to these tactics? C’mon.