Since the last week of november I noticed an increased volume of Brute Force attacks on several websites that are under my management. Although these kind of attacks are not new, there was something peculiar with these login attempts. They all used the same username “NoneNone”.
Not much to go on
A quick search on the internet did not lead to any useful information at the time. There was no reporting from Wordfence or other security plugins on this specific type of attacks. So I went to search on Twitter.
There were a few other people that experienced the same issue as me. I got in touch with one of them. We shared configuration details and concluded that we had no plugins and themes in common except the WF plugin. I copied Wordfence into the conversation, but they never replied.
Blocking usernames
So with no clue what was happening and without help from Wordfence I decided to block every login attempt that contained the username “NoneNone” and “nonenone” in the WF Firewall. Here is how you can do this.
- Go to the Wordfence / Firewall in your dashboard.
- Then click on “All Firewall options”.
- Under the tab “Brute Force Protection” you are able to add usernames that immediately must be blocked once someone tries these to login.
The role of XML-RPC
This tweet caught my attention where WordFence did reply to.
In that tweet WordFence mentions that these attacks happen through the well known file xml-rpc.php. That actually makes sense. It’s a file that’s been abused for hacking before. If you aren’t using any services (like Jetpack) that are depending on this functionality, my advice would be to disable the file entirely. Here’s how to do that.
Disable XML-RPC through a single line of code
When you manage several WordPress websites you may know how to add php snippets. Add this snippet to a code snippet plugin or a child theme’s functions.php.
add_filter('xmlrpc_enabled', '__return_false');Disable XML-RPC-through a plugin
If you are not sure on how to implement the line above you can also use a plugin for this. Please note that this plugin hasn’t been updated in several years. However the contents of this plugin only contain the single line of code I mention above.
https://wordpress.org/plugins/disable-xml-rpc/
Disable XML-RPC on the server
In case you want to block the file directly on the server you can do this as follows. On Apache servers you can add these rules in your .htaccess file.
# Block requests to xmlrpc.php
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>With the .htaccess method it’s also possible to add exceptions for services that are allowed to use XML-RPC. Just add the IP address of the service to the .htaccess file
# Block requests to xmlrpc.php with exception rules for IP's
<Files xmlrpc.php>
order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx
</Files>If you use Nginx the .htaccess approach won’t work. But you can try this instead
# nginx block xmlrpc.php requests
location /xmlrpc.php {
deny all;
}That’s it.