Wordpress website breaking
March 3, 2014 2:29 PM Subscribe
I have a frustrating issue with a site hosted on Wordpress. Every now and again - and seemingly at random - I will get a message saying "Resource Limit Is Reached - The website is temporarily unable to service your request as it exceeded resource limit. Please try again later" when I try and visit my site or dashboard.
My hosting company identified the problem as being excessive requests for the file 'xmlrpc.php' (over a quarter of a million a day from some IPs). A bit of Googling reveals that it's some kind of attempted hack and the file in question is usually used by Wordpress for remote access via apps, etc. In their words: "After some digging around, it seems that the xmlrpc.php file is only utilised by the remote post feature in WordPress such as sending e-mails / text messages and having WordPress automatically post these as new posts."
It's already slightly beyond my technical comprehension, but they kindly blocked the IPs in question. Of course, the problem returned a couple of times. I installed a plugin and renamed the file in question and as was well for a weeks. Until this evening.
Has anyone else encountered this problem? My tech guy also said "Alternatively, it looks as though all of these SPAM "bots" are utilising MSIE 7.0 as their useragent, you could also look at blocking this within your .htaccess although this would prove ineffective if they changed this / used another user agent. It would also block any legitimate users using Internet Explorer 7.0 as their browser which whilst it's 4 versions out of date, no date some people are still using it." How do I do that?
My hosting company identified the problem as being excessive requests for the file 'xmlrpc.php' (over a quarter of a million a day from some IPs). A bit of Googling reveals that it's some kind of attempted hack and the file in question is usually used by Wordpress for remote access via apps, etc. In their words: "After some digging around, it seems that the xmlrpc.php file is only utilised by the remote post feature in WordPress such as sending e-mails / text messages and having WordPress automatically post these as new posts."
It's already slightly beyond my technical comprehension, but they kindly blocked the IPs in question. Of course, the problem returned a couple of times. I installed a plugin and renamed the file in question and as was well for a weeks. Until this evening.
Has anyone else encountered this problem? My tech guy also said "Alternatively, it looks as though all of these SPAM "bots" are utilising MSIE 7.0 as their useragent, you could also look at blocking this within your .htaccess although this would prove ineffective if they changed this / used another user agent. It would also block any legitimate users using Internet Explorer 7.0 as their browser which whilst it's 4 versions out of date, no date some people are still using it." How do I do that?
I would advise a few things: install the Bad Behavior plugin which will handle automated attempts to access WordPress, and WP Super Cache which may assist (not sure) but will help cut down on resources your WP instance will need. The Disable XML-RPC plugin is also a good fix. I believe they used to allow you to change whether XMLRPC was on or off in Settings but I'm not seeing it on my current blogs. XMLRPC allows using things like the iPhone or Android app to make changes on your blog.
I've not encountered the problem but that *kind* of problem, using automated bots to attempt login, posting, commenting are common attacks against WordPress and all web applications. Good on your host for working with you.
posted by artlung at 3:08 PM on March 3, 2014
I've not encountered the problem but that *kind* of problem, using automated bots to attempt login, posting, commenting are common attacks against WordPress and all web applications. Good on your host for working with you.
posted by artlung at 3:08 PM on March 3, 2014
Response by poster: Thanks both. The site let me in briefly and I could see the file hadn't been reinstated by a recent update. I was also able to install the Bad Behaviour plug-in, but it was a brief respite as it's now down again. How do I password protect the admin directory?
posted by jonathanbell at 5:06 PM on March 3, 2014
posted by jonathanbell at 5:06 PM on March 3, 2014
If you're nontechnical typically webhosts provide a mechanism to add htaccess/htpasswd combination files to arbitrary directories. Who's the webhost?
It sounds like you're under DDoS attack. Are you?
One other thing - do you get any different results when you load the site with your cookies all removed? (in Chrome you can open a new incognito window; or in IE you can open InPrivate browsing mode, and Firefox calls it Private browsing).
Feel free to MeMail or email me if you have questions I'd be glad to try to help.
posted by artlung at 9:10 PM on March 3, 2014
It sounds like you're under DDoS attack. Are you?
One other thing - do you get any different results when you load the site with your cookies all removed? (in Chrome you can open a new incognito window; or in IE you can open InPrivate browsing mode, and Firefox calls it Private browsing).
Feel free to MeMail or email me if you have questions I'd be glad to try to help.
posted by artlung at 9:10 PM on March 3, 2014
Response by poster: I guess I'm under DDoS attack, although not sure how I'd know for certain. The site can be reached now, but only after multiple attempts at reloading the page (and only in Firefox private browsing, not a normal window).
One of the last things I was able to do last night was install Bad Behaviour - it shows 57,139 attempts in the past six hours (and rising), all trying to get at this mysterious file. I'll go back to the hosting company and drop you a line as well - thank you for all your help so far.
posted by jonathanbell at 11:59 PM on March 3, 2014
One of the last things I was able to do last night was install Bad Behaviour - it shows 57,139 attempts in the past six hours (and rising), all trying to get at this mysterious file. I'll go back to the hosting company and drop you a line as well - thank you for all your help so far.
posted by jonathanbell at 11:59 PM on March 3, 2014
I installed the NinjaFirewall plugin a few days ago. That sits before the wordpress and saves ridiculous amounts of bandwidth. I put Wordfence on top and enable agressive throttling for bots and crawlers. As the functionality overlaps I would switch off the login protection in WF and let NF handle it. It's too early to say but over the last few days it looks like I spent 60% of what I usually spend on bandwidth.
posted by yoHighness at 11:28 AM on March 5, 2014
posted by yoHighness at 11:28 AM on March 5, 2014
Oh and switch on CloudFlare if your host lets you.
posted by yoHighness at 11:29 AM on March 5, 2014
posted by yoHighness at 11:29 AM on March 5, 2014
Response by poster: Thanks everyone. It was a few days of back and forth with my (excellent) hosts and some brilliant input from artlung - my eternal gratitude. For now the rogue IPs have gone elsewhere and the site is back to its normal self. I'm not 100% sure what sorted it all out in the end - it may just have been good old fashion blocking.
posted by jonathanbell at 6:01 AM on April 4, 2014 [1 favorite]
posted by jonathanbell at 6:01 AM on April 4, 2014 [1 favorite]
This thread is closed to new comments.
This is the code to block IE7 users. Personally, I wouldn't go this route. Replace BadBot with whatever the user agent string is that you want to block.
http://go.away obviously doesn't exist - so anybody using IE7 should get a 404 error.
#get rid of the bad bot
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} ^BadBot
RewriteRule ^(.*)$ http://go.away/
posted by COD at 3:07 PM on March 3, 2014