XML-RPC Pingback Attacks are really annoying. You often see lots of POST /xmlrpc.php requests from different IP address from time to time. Sometimes, the number of requests is big enough to crash a server (yes, my server is a tiny angel). But I can’t disable WordPress XML-RPC because I need that for Jetpack to work (post by email, how cool!). Therefore, I figure out a quick and dirty way to prevent this by only allow Jetpack IP address to call XML-RPC.

These IP are not public by WordPress (I don’t know why) as they stated that:

“We aren’t able to provide any IP addresses for Jetpack as they fluctuate. You could try whitelisting *.wordpress.com for both inbound and outbound traffic, as a workaround.”

However, by looking at my server log, I see 2 potential IP address ranges. Quick lookup confirms my suspicion. Here they are (Update: Ben (in the comment below) provided me with a list of IP addresses he found in his server log. I double checked and updated them here.):

66.135.32.0/19
66.155.0.0/18
69.174.240.0/20
72.232.0.0/17
76.74.248.0/21
192.0.64.0/18
198.181.116.0/22
207.198.64.0/18
209.15.0.0/16
216.151.208.0/20

And here is sample configuration in nginx

server {
  location ~ xmlrpc\.php {
    deny all;
    allow 127.0.0.0/24;
    allow ::1/128;
    allow 66.135.32.0/19;
    allow 66.155.0.0/18;
    allow 69.174.240.0/20;
    allow 72.232.0.0/17;
    allow 76.74.248.0/21;
    allow 192.0.64.0/18;
    allow 198.181.116.0/22;
    allow 207.198.64.0/18;
    allow 209.15.0.0/16;
    allow 216.151.208.0/20;
  }
}

If you know any other IP ranges, let me know and I will update my post. Happy blogging!

Quick and dirty way to prevent XML-RPC Pingback Attacks
Tagged on:         

2 thoughts on “Quick and dirty way to prevent XML-RPC Pingback Attacks

  • September 8, 2014 at 1:44 AM
    Permalink

    Here’s all the WordPress IP’s I’ve seen JetPack use. Took a month to log them:

    order deny,allow
    deny from all
    allow from 216.151.209.64
    allow from 216.151.209.127
    allow from 66.135.48.128
    allow from 66.135.48.255
    allow from 69.174.248.128
    allow from 69.174.248.255
    allow from 76.74.255.0
    allow from 76.74.255.127
    allow from 216.151.210.0
    allow from 216.151.210.127
    allow from 76.74.248.128
    allow from 76.74.248.255
    allow from 76.74.254.0
    allow from 76.74.254.127
    allow from 207.198.112.0
    allow from 207.198.113.255
    allow from 207.198.101.0
    allow from 207.198.101.127
    allow from 198.181.116.0
    allow from 198.181.119.255
    allow from 192.0.64.0
    allow from 192.0.127.255
    allow from 66.155.8.0
    allow from 66.155.11.255
    allow from 66.155.38.0
    allow from 66.155.38.255
    allow from 72.233.119.192
    allow from 72.233.119.255
    allow from 209.15.21.0
    allow from 209.15.21.255

    Reply
    • September 8, 2014 at 3:54 AM
      Permalink

      Thank you Ben! I will double check each IP and update my post accordingly.

      Reply

Leave a Reply