Quick and dirty way to prevent XML-RPC Pingback Attacks

Mon, Jul 21, 2014

XML-RPC Pingback Attacks are really annoying. You often see lots of POST /xmlrpc.php requests from different IP address from time to time. Sometimes, the number of requests is big enough to crash a server (yes, my server is a tiny angel). But I can’t disable WordPress XML-RPC because I need that for Jetpack to work (post by email, how cool!). Therefore, I figure out a quick and dirty way to prevent this by only allow Jetpack IP address to call XML-RPC.

These IP are not public by WordPress (I don’t know why) as they stated that:

“We aren’t able to provide any IP addresses for Jetpack as they fluctuate. You could try whitelisting *.wordpress.com for both inbound and outbound traffic, as a workaround.”

However, by looking at my server log, I see 2 potential IP address ranges. Quick lookup confirms my suspicion. Here they are (Update: Ben (in the comment below) provided me with a list of IP addresses he found in his server log. I double checked and updated them here.):

66.135.32.0/19
66.155.0.0/18
69.174.240.0/20
72.232.0.0/17
76.74.248.0/21
192.0.64.0/18
198.181.116.0/22
207.198.64.0/18
209.15.0.0/16
216.151.208.0/20

And here is sample configuration in nginx

server {
  location ~ xmlrpc\.php {
    deny all;
    allow 127.0.0.0/24;
    allow ::1/128;
    allow 66.135.32.0/19;
    allow 66.155.0.0/18;
    allow 69.174.240.0/20;
    allow 72.232.0.0/17;
    allow 76.74.248.0/21;
    allow 192.0.64.0/18;
    allow 198.181.116.0/22;
    allow 207.198.64.0/18;
    allow 209.15.0.0/16;
    allow 216.151.208.0/20;
  }
}

If you know any other IP ranges, let me know and I will update my post. Happy blogging!