Brute Force Monitor: xmlrpc.php POST 200: add 8x multiplier (TEMPLATE)

Version 1.59.0


The xmlrpc.php is a file included with WordPress is an API file, used for data transfers or actions between various things. A stand-alone setup often does not need web access to this file, but any external connections, like iPhone apps that routinely do POSTs to it generating a 200 return code would require it. This is also one of the major attack points for WordPress, in attempts to determine the website's WordPress password. As a result, our Brute Force Monitor (BFM), when "Scan for WordPress attacks" is enabled in the Admin Settings, will scan for POSTs to this file, with a valid 200 return code. (wordpress2 brute_filter.list). This change is to increase the match count, which would have been the same as the Brute Force Monitor's count limit (set in Admin Settings), to now be 8x that value, to allow for possible valid usage, while still blocking attacks. For example, if you set your ip_brutecount=100, aka: "Notify Admins after an IP has: [100] login failures on any account" This would mean that any User would be allowed 800 POST with a 200 response code to the xmlrpc.php file, based on the BFMs rules. Note that the BFMs time window is sliding and is entirely based on a period of time where there are no attacks counted in order to reset the count to 0. So if you have, Admin Settings: "Reset count of IP/User failed attempts: [4] hours after last attempt" a period of 4 hours must pass where there are 0 failed attempts from this IP address, in order for the count up to 800 to reset to 0. If even 1 POST to xmlrpc+200 is done per hour, then the count will never reset, and the 800 limit WILL eventually be hit. We'll continue to evaluate other options for this. There are plugins for WordPress, which can monitor for such attacks, saving the need for DA to do it, such as WordFence. It's ultimately up to a website to be protecting itself, as the "Scan for WordPress attacks" is simply there to be a fall-back in case the website owner failed to secure WordPress. =============== TEMPLATE brute_filter.list Changed: wordpress2=ip_after=&ip_until= -&text=] "POST /&text2=/xmlrpc.php&text3=" 200%20 to be: wordpress2=ip_after=&ip_until= -&text=] "POST /&text2=/xmlrpc.php&text3=" 200%20&count_multiplier=8

Interested to try DirectAdmin? Get a 30-day Free Trial!