Category

Random

Prevent XML-RPC attacks on WordPress websites

This blog runs on WordPress, which I host on a VPS with DigitalOcean.

I didn’t use SharedHosting services like Bluehost because I’m a geek and I like spinning up my own servers manually and maintaining control over how things are set up.

I started running this blog on a $5 per month DigitalOcean droplet which had 512MB of RAM single core CPU running on 20GB SSD. I was running the standard LAMP stack on it to run WordPress. It was cheap, it worked, and my website seemed to load fast enough.

Recently, I began having some problems with my blog constantly going down, giving me the “Error establishing connection to the database” error every time I accessed my website. Most of the time, I could resolve this by ssh’ing into my server and then restarting apache or mysql. The past two days, the downtime had been getting worse and I started getting the bash: fork: Cannot allocate memory error when I would issue commands in the shell.

I was like, “Okay… maybe $5 per month isn’t enough to run the LAMP stack”, I guess I can upgrade to the $10 per month plan which should give me 1GB ram. This is enough to run Ruby on Rails applications, which should be more than enough for a small WordPress site. After the upgrade, my blog ran fine for one day and then started crashing again.

Since I thought there’s no way my current server isn’t enough to run a small WordPress site, I began to investigate why my server was constantly running out of memory causing my site to go down. It turns out that there’s something called XML-RPC attacks that can be common on WordPress sites. XML-RPC is basically a protocol to execute functions remotely. WordPress apparently uses this protocol to execute functions but this can also be exploited to launch brute force attacks against WordPress sites.

There’s a great guide on how to prevent XML-RPC attacks here

https://www.digitalocean.com/community/tutorials/how-to-protect-wordpress-from-xml-rpc-attacks-on-ubuntu-14-04

Below is the TLDR step by step version of the article that will apply to most people (method 2 of that article won’t work unless you specifically used DigitalOcean’s one click WordPress install method, which I didn’t).

Check if you are experiencing attacks

This is simple to do. SSH into your console and run the one of the two following commands, depending on which web server you’re running

apache2

grep xmlrpc /var/log/apache2/access.log

nginx

grep xmlrpc /var/log/nginx/access.log

If your’e experiencing attacks, you’ll see a bunch of logs that goes something like

POST /xmlrpc.php HTTP/1.0" 200 674 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"

If you do see that in your logs, continue onto the next two steps.

Install JetPack and turn on the protect feature

The JetPack WordPress plugin can protect against brute force attacks. Unfortunately, this won’t prevent all attacks. I can’t remember the technical reason for it, but I had this feature turned on before I started having problems and my blog was still taken down constantly. Regardless, it doesn’t hurt to install this plugin and turning on the “protect” feature. Now, onto the sledgehammer method to protect against XML-RPC attacks.

Manually blocking XML-RPC Attack

This is the sledgehammer method, and the one that worked for me.

For apache, open up the configuration file with sudo

sudo vim /etc/apache2/sites-available/000-default.conf

and add the following lines inside the VirtualHost tags.

Save and close and restart your server with

sudo service apache2 restart

For nginx, open up

sudo vim /etc/nginx/sites-available/example.com

and add the following lines in the file

Restart your server with

sudo service nginx restart

and you should be good to go!

Thoughts

I try to think of every problem I experience as a learning experience, but these were a few hours I could have spent on client projects. If I was a WordPress developer, I would consider this as a learning experience, but I’m not and probably never will be. I’m thinking about perhaps migrating this blog to be hosted on WPEngine or to something like Ghost or SquareSpace, so that I can just focus on writing content.

Seriously, hire an accountant to do your taxes

When we’re sick, we consult doctors. When we have plumbing problems, we hire plumbers. When someone needs to have a piece of software built, they hire a software developer. But for some reason, when it’s time to file our taxes, a lot of us try to do it ourselves.

Seriously people, just hire an accountant. A good accountant will find all sorts of ways to bring your tax obligations down and save you money that you wouldn’t have saved if you did your taxes on your own.

Every time I paid a few hundred dollars to an accountant to do my taxes for me, he/she always got me a few thousand dollars in refunds that TurboTax never got me. This year, because I was in the United States for the majority of 2016, I thought that I wouldn’t be qualified for the Foreign Earned Income Tax inclusion. Well, turns out that I “can” sort of do this by filing for an extension for my 2016 taxes so that I can file later in the year in December. I would have never known about this if I haven’t paid a few hundred dollars to my accountant. Thanks to my accountant, I’m now due a refund of a few thousand dollars at the end of the year rather than owing the US government a few thousand dollars in taxes.

Also, think about it this way. Let’s say you spend 10 hours (probably more if we’re being honest) agonizing over your taxes. How much is your time worth? Let’s say you’re a freelance software developer billing at $100 per hour. So if you spent a total of 10 hours doing your taxes, filing your taxes just cost you $1,000, never-mind the stress of not knowing whether you filed your taxes correctly or not. On the contrary, let’s say that a competent accountant who’s 100x better than you will ever be at filing taxes only cost $300. And working with an accountant will potentially save you thousands of dollars in taxes you owe to uncle Sam. Needless to say, it’s smarter and more cost effective to just pay the accountant.

So yes, just suck it up, pay a few hundred dollars, and hire a competent accountant. You’ll probably end up making money thanks to all of the refunds that you’ll be getting.

If you’re a nomadic individual like me, I used Greenback Expat Tax Services to file my 2016 taxes and so far they have been excellent.

How to Create a Blog Course – Simple Programmer

One of the inspirations for creating this blog was John Sonmez of https://simpleprogrammer.com.

I’ve been randomly watching John Sonmez’s videos on YouTube every now and then and have always enjoyed his videos. When I was stopping by Maryland for a month or two, I realized I had his book Soft Skills in my bookshelf and due to sheer boredom one day, cracked it open and began reading it.

One section in the book that was intriguing was on how to market yourself as a software developer and how blogging was one of the best ways to do this. I’ve always thought that blogging was a waste of time and found that I had difficulty maintaining any sort of consistency with it. One of the things the he mentioned was that you have to take a long term view when it comes to blogging. It’s actually hard to find an unsuccessful blog that’s been consistently maintained for 4 – 5 years. I thought he had a valid point so…

I signed up for John Sonmez’s “How to Create a Blog” course mostly to give myself mandatory homework to do and keep myself accountable.  The course is emailed to your inbox with tasks to complete and is an easy way to keep track and be accountable throughout the blog creation process. It gives tips on what to write about, which blog platforms to choose (hint: WordPress), how to host your blog, what themes to choose, how to niche yourself, and etc. Well, this blog is the result of the course and I’ll be writing in it twice a week in 2017. The topics I’ll be focusing on are 1) Android development and 2) Remote/Nomadic software development.

If you’re interested, the link to the course is https://simpleprogrammer.com/blog-course. Off to filling this blog with at least 100 posts by the end of 2017!