How to stop xmlrpc attacks without disabling component to allow JetPack to work in WordPress?

I manage a WordPress website using an virtual machine in the cloud, and lately, I noticed a lot of unwanted requests to the xmlrpc.php component that are slowing down the site causing high CPU loads. If it was for me, I would disable it entirely, but the site uses the JetPack plugin which relies on xmlrpc.

So, my question is: how to allow JetPack access to xmlrpc while blocking everyone else and without disabling xmlrpc on the server?

The site has the bruce for protection enabled with JetPack, and fail2ban is enabled and working, but doesn't seem to fix the problem.

While doing some research, I have found this workaround: https://www.namehero.com/startup/how-to-safely-disable-xmlrpc-in-wordpress-while-keeping-jetpack/ but after applying these settings to the htaccess, it immediately stops unwanted requests, but JetPack gets blocked too. So, it doesn't seem to work as expected, or I'm doing it wrong.

Files xmlrpc.php
Order allow,deny
Allow from 192.0.64.1/192.0.127.254
Deny from all
Satisfy All
ErrorDocument 403 http://127.0.0.1/
/Files

Update: These are the IP addresses that WordPress says it's needed for jetpack:

So, the question also is, how do I these IP addresses to the htaccess block above?

122.248.245.244/32
54.217.201.243/32
54.232.116.4/32
192.0.80.0/20
192.0.96.0/20
192.0.112.0/20
195.234.108.0/22
192.0.96.202/32
192.0.98.138/32
192.0.102.71/32
192.0.102.95/32

Topic plugin-jetpack xml-rpc security plugins Wordpress

Category Web

1
answered at

With a whitelist, you typically deny all first, then allow. Then just keep adding Allow entries as needed. Try this:

<Files xmlrpc.php>
Order Deny,Allow
Deny from all
Allow from 122.248.245.244/32
Allow from 54.217.201.243/32
Allow from 54.232.116.4/32
Allow from 192.0.80.0/20
Allow from 192.0.96.0/20
Allow from 192.0.112.0/20
Allow from 195.234.108.0/22
Satisfy All
ErrorDocument 403 http://127.0.0.1/
</Files>

Note: Those last few IPs from the list in your question are covered by the preceding CIDR range, 192.0.96.0/20, so I omitted them.

You can get up-to-date details on the specific IP addresses to whitelist for various Jetpack services here: https://jetpack.com/support/hosting-faq/.

Personally I use fail2ban. That method has the advantage of preventing sketchy IPs from making any further type of requests to your server, either permanently or for a period of time according your settings. You might just need to review your fail2ban settings and reconfigure them to be tighter. It could possibly be related to this issue.

It's also worth noting that Automattic offers free support for all Jetpack users. (Full disclosure: I work there. )

About

Geeks Mental is a community that publishes articles and tutorials about Web, Android, Data Science, new techniques and Linux security.