WordPress hosting done right. done fast. done secure


even more DDoS defense against xmlrpc and login attempts for your VPS

I am guessing if you’re running any sort of reasonable VPS you have fail2ban or something similar to stop too many hits on xmlrpc and login attempts. As we’ve all seen too many hits on these URLs and it eats all your CPU up, and your site either slows or crashes.


We use haproxy in front of our hosting stack. It does many jobs for us, including DDoS defense.

Of course we have mod_security and a fail2ban type scripts to ban repeat offenders. But this solution is more scalable, uses less resources, and can catch the first hack attempt.

Our solution is to:

  • check if the requests are ¬†xmlrpc or login attempts
  • only catch connection where the first request on a tcp session looks like trouble (xmlrpc or login)
  • that don’t previously have a tcp-session. With keep-alive most real users will already have a tcp session with haproxy.
  • delay for 4 seconds

The idea is most bots/attackers with either think the webserver is broken, or the delay is so large , if they are iterating a list or something 4 seconds slow down is fairly large.

Real users aren’t usually delayed. If they surf to /wp-admin/ first, and redirected to the login page, they’ll have a tcp session already as part of keep-alive.

Of course we have mod_security and a fail2ban type scripts to ban repeat offenders. But this solution has a few unique advantages:

  • it occurs before mod_security, and your webserver, and php, so it takes less resources
  • it delays the very first potential attack
  • it scales better, and can handle way more attacking hits/clients than a mod_security/fail2ban solution can handle
  • even if a real user hits the delay, they aren’t blocked, they still get their page

Here is our haproxy recipe for xmlrpc and login attempts

#this wont delay all traffic
tcp-request inspect-delay 4s

# create an acl to hold trouble requests
acl trouble path_beg -i /xmlrpc.php
acl trouble path_beg -i /wp-login.php

# if your no trouble, dont wait
tcp-request content accept unless trouble

# if you are trouble, we'll wait the whole 4seconds inspection time
tcp-request content accept if WAIT_END

By on August 17th, 2016

Email or call, and we can arrange a time to chat call 0412927156 or CONTACT US TODAY!