Wordpress xmlrpc.php attack

This morning I woke up and found on my email a "more than 90% CPU use over 2h report".

Hum... interesting, did I become famous overnight or am I under attack?

Quick look on my server and found that CPU was still at max.

CPU under wordpress attack

Did I make some weird bug?

Let me check Nginx requests

Nginx requests under wordpress attack

My hopes of fame were higher now but it was too constant, it looks more like brute force attack.

First things first, run a top command and found php-fpm eating all of my CPU.

Run a tail /var/log/nginx/access.log and found that there was someone brute forcing me:

172.21.0.6 - - [27/May/2017:08:08:10 +0000] "POST /xmlrpc.php HTTP/1.1" 200 422 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
172.21.0.6 - - [27/May/2017:08:08:10 +0000] "POST /xmlrpc.php HTTP/1.1" 200 422 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
172.21.0.6 - - [27/May/2017:08:08:10 +0000] "POST /xmlrpc.php HTTP/1.1" 200 422 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
172.21.0.6 - - [27/May/2017:08:08:10 +0000] "POST /xmlrpc.php HTTP/1.1" 200 422 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"

Done a quick google for it, and there it was, a clear Wordpress exploit.

Since I don't use API to access my Wordpress, the fix was simple, just block it.

A quick trip to Nginx's config file and problem solved.

server {
    ...
    location /xmlrpc.php {
          deny all;
        }
    ...
}

Reload nginx and its done.

If you have a Wordpress, you can do it before being brute forced to avoid any problems in future.