Dear Lazyweb,I have xmlrpc.php disabled, but the botnets love it. Is it safe to fail2ban an IP after a single hit? Or will that result in false positives from other WordPress internals trying to do something stupid?
It's impossible to find a coherent explanation of how it is used or why.
It's the endpoint used for the MetaWeblog API for posting. If you post from outside WordPress, you may be using it indirectly. If you don't use it, you can remove the file or ban anyone who tries to go near it. WordPress internals have no reason to use it - they're internals, they can do whatever it is directly.
...Maybe not remove, since WordPress will likely just put it back when it updates, and for all I know it might fail some consistency check. But limit access, absolutely. (Also, all the operations of the API require a username and password so no WordPress internals - or for that matter incompetent WordPress plugins - could use it to do WordPress-y things they could be doing in code.)
I've already, long ago, disabled it like this:
add_filter('xmlrpc_enabled', '__return_false');
I was asking whether it's safe to immediately blackhole someone's IP if they hit the URL.
And relatedly:
add_filter ('json_enabled', '__return_false');
add_filter ('json_jsonp_enabled', '__return_false');
remove_action ('wp_head', 'rest_output_link_wp_head');
remove_action ('template_redirect', 'rest_output_link_header');
remove_action ('wp_head', 'wp_oembed_add_discovery_links');
remove_action ('wp_head', 'wp_oembed_add_host_js');
If you do that, a troll might embed an img tag pointing to your xmlrpc.php on their website, getting all of their visitors banned from here.
Literally any use of fail2ban can be attacked that way. I'll take the chance.
Modulo the counting and timing options. It is probably better to let them hit it a handful of times per day, in case some extension, experiment, or error is hitting it on legit users' behalf.
Yeah, my general strategy for automated bans is to trigger quickly and also expire quickly.
An attacker will probably just move on to attacking from another IP while a legitimate person is more likely to be impacted by the aggressive fail2ban rule. You will also probably eventually ban a carrier grade NAT or VPN exit node at some point impacting multiple people for the actions of one. I don't think this is the right way to go about improving security.