GHOST – CVE-2015-0235 hit the internet and caused a lot of commotion, and it was found to affect WordPress installations through xmlrpc.php. This file is constantly a security issue to the WordPress community. The file has caused things from successful brute-force attacks, to XMLRPC DoS attacks that bring down the targeted website. The XMLRPC protocol is used by WordPress to add entries in a programmatic manner. Using my favorite iptables module (string) we can drop requests that are attempting to abuse xmlrpc.php. By dropping this traffic we thwart any potential DoS, brute-force, and GHOST attacks that are being automated right now.
$ iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --name wordpress-XMLRPC-firewall --update --seconds 10 --hitcount 3 -m string --string 'GET /xmlrpc.php HTTP/1.1' --algo bm -j DROP $ iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --name wordpress-XMLRPC-firewall --update --seconds 10 --hitcount 3 -m string --string 'POST /xmlrpc.php HTTP/1.1' --algo bm -j DROP
What is happening above is that we are looking for traffic on port 80 initiating a new connection, and then we use the strings module to find the HTTP request and then we drop the traffic originating from the attacker if they open more than 3 connections on xmlrpc.php in less than 3 seconds, then they are therefore unable to initiate connections over port 80 thus thwarting the most common attacks on WordPress XMLRPC.