DDoS Attack on wordpress {Resolving XMLRPC DDoS WordPress Attack with .htaccess}

From few days, i was experiencing continuous mysql server down on my wordpress blog.

Warning was something like:-

Warning: mysqli_real_connect(): (HY000/2002): Can’t connect to local MySQL server through socket ‘/var/run/mysqld/mysqld.sock’ (111)”

& “Warning: mysql_connect(): Can’t connect to local MySQL server through socket ‘/var/run/mysqld/mysqld.sock’ (111)”
This error was happening frequently and after reboot of server, everything used to get normalized.
Earlier i was thinking it was issue with swap area in linux server or mysql-server error. After investing for a while here and there i checked access log for APACHE server.

cd /var/log/apache2
tail access.log
view raw DDOS_wordpress.sh hosted with ❤ by GitHub

output was something like this :-

If we see the time latency between each post request, the output differs in milliSecond. And the output was from ip “191.96.249.80”, this ip is of a server in Russia.
If we see the count of number of requesting being made by the sever in numbers grep command

grep -o 191.96.249.80 acceess.log | wc -l
view raw DDOS_wordpress.sh hosted with ❤ by GitHub
, output came in millions.


Even at the time of writing the post its still increasing continuously. Each time it is received apache tries to instantiate a child process to service that request. Before long you run out of memory and apache starts failing to fork a new process and mysql gives up trying to allocate memory space to the buffer pool. You basically run out of memory and all these requests grind your server to a halt.

Solution that worked for me :- Unfortunately i didn’t find any automatic service that do blacklisting of IP in AWS to avoid DDoS attack. Also, no blacklisting in its security group. So, I manipulated the virtual host settings to stop that IP.

cd /etc/apache2/sites-available/
sudo nano 000-default.conf #whatever the working config is for that website #by default its 000-default if not added/changed.
view raw DDOS_wordpress.sh hosted with ❤ by GitHub
<Files xmlrpc.php>
order allow,deny
deny from 191.96.249.80
allow from all
</Files>
view raw DDOS_wordpress.sh hosted with ❤ by GitHub
sudo reboot now
view raw DDOS_wordpress.sh hosted with ❤ by GitHub


Status code 403 responses are the result of the web server being configured to deny access, to the requested resource by the client.

And the attack is still up, checked the count right now. Its 10,61,349 in number.
What these people get after targeting some personal blog 😛 . Anyhow, i will share some more generic, scale-able, plugins and ways to avoid this. Right now busy with some other interesting stuffs.
Done for now.