Securing Your WordPress Site: Blocking xmlrpc.php with Azure Front Door WAF

What is xmlrpc.php and Why is it a Risk?

xmlrpc.php is a file that allows remote access to WordPress sites via the XML-RPC protocol. This enables functionality such as posting to WordPress from external sources, enabling mobile apps, and communicating with services like Jetpack. While useful in certain scenarios, this file is also a well-known target for cyberattacks, particularly brute force attacks, where attackers attempt to guess usernames and passwords to gain unauthorized access to your site.

Additionally, xmlrpc.php is susceptible to amplification attacks, where attackers use the file to generate a large number of requests, overwhelming your server and leading to a denial of service. Even though the file serves a purpose, most modern WordPress sites don’t need it, especially if you’re not using external publishing services or mobile apps. Blocking access to xmlrpc.php can mitigate these risks without affecting your site’s normal functionality.

The Power of Azure Front Door WAF for Security

Azure Front Door is a global content delivery network (CDN) and load balancer offered by Microsoft Azure. One of its key features is the integration of a Web Application Firewall (WAF), which helps protect your applications from common web vulnerabilities, including SQL injection, cross-site scripting (XSS), and more. WAF is particularly effective for blocking specific URLs or patterns of malicious traffic.

For sites hosted on Azure, particularly WordPress websites, utilizing the Azure Front Door WAF to block access to files like xmlrpc.php is a straightforward and efficient way to add an additional layer of security. The WAF allows you to create custom rules tailored to your specific requirements, enabling you to block or allow traffic based on request parameters.

Steps to Block xmlrpc.php Using Azure Front Door WAF

Now, let’s walk through the steps to block xmlrpc.php using Azure Front Door’s WAF. These steps assume that you already have a WordPress site hosted on Azure App Services and are using Azure Front Door to manage traffic to your site.

Step 1: Create or Modify Your WAF Policy

The first step is to either create a new WAF policy or modify an existing one in Azure.

1. Navigate to Azure Front Door: In the Azure Portal, go to the Azure Front Door section.
2. Select WAF Policies: Under the security section, select WAF Policies. This is where you can manage all your Web Application Firewall configurations.
3. Choose an Existing Policy or Create a New One: You can either create a new WAF policy or modify an existing one, depending on your setup. If you’re managing multiple sites, you may already have a policy that applies to all your WordPress sites.

Step 2: Add a Custom Rule

In Azure Front Door WAF, custom rules allow you to define specific criteria to block or allow traffic based on various conditions.

1. Go to Custom Rules: Within your selected WAF policy, go to the Custom rules section.
2. Add a New Custom Rule: Click Add custom rule to begin creating a new rule for blocking xmlrpc.php.
3. Name Your Rule: Give the rule a meaningful name, such as BlockXmlRpcPhp, so that it’s easy to identify in the future.

Step 3: Configure Rule Priority

Every rule in Azure Front Door WAF has a priority. Rules are evaluated based on their priority, with lower numbers taking precedence over higher numbers.

1. Set a High Priority: For the rule blocking xmlrpc.php, set the priority to a higher value (lower number), such as 10. This ensures that this rule is evaluated early in the sequence, giving it precedence over other rules.Setting an appropriate priority ensures that traffic to xmlrpc.php is blocked before any other rules allow or deny traffic, thereby preventing bypassing of this critical security check.

Step 4: Set Rule Match Conditions

The match conditions define what traffic the rule applies to. In this case, we’re targeting requests for the xmlrpc.php file specifically.

If

1. Match Type: Set the match type to String.
2. Match Variable: RequestUri
3. Operation: Is
4. Match Operator: Use Contains as the match operator.
5. Transformation: Set the transformation to Lowercase. This ensures that the rule matches regardless of the case in the URL. For example, /XMLRPC.PHP and /xmlrpc.php will both be blocked.
6. Match Values: Enter /xmlrpc.php as the match value. This will match any request to the xmlrpc.php file.

Step 5: Set the Action to Deny Traffic

Once the match conditions are configured, you need to specify what the WAF should do when a request matches those conditions.

Then

1. Action: Set the action to Deny traffic. This will block any request to the xmlrpc.php file from reaching your WordPress site.

Step 6: Apply and Test

After configuring the custom rule, it’s time to apply the WAF policy to your Azure Front Door configuration.

1. Save the Rule: Ensure you save the custom rule and apply it to your WAF policy.
2. Recommended to Purge cache within Front Door, before testing.
3. Test the Configuration: To test whether the rule is working, try accessing https://your-domain-name/xmlrpc.php from a browser or using a tool like cURL. If the rule is configured correctly, the request should be blocked, and you should receive an error message instead of being able to access the file.
   

Notes: According to the official Azure Web Application Firewall (WAF) FAQ for Front Door, the propagation time for WAF policy changes is typically within a few minutes but may take up to 30 minutes for changes to fully propagate across all regions.

If the custom rules are not working:

• Make sure your Front Door is applied to the apex domain eg your-domain.com.au or a redirection/forwarding to the www at the DNS level. To set the apex domain your DNS provider need to supports advanced DNS features such as ALIAS or ANAME records this ic called Flattening as your A record need a IP address & Front Door need a CNAME. Not all DNS provides support this service, so if you are at this level or read this post it maybe time to move your DNS.

• Front Door WAF policy is set to Prevention, the custom rules will not work if set to detaction mode.
  
• You can also test at xmlrpc.blog, add your domain name and it will review if the endpoint is available.

Benefits of Blocking xmlrpc.php

Blocking access to xmlrpc.php helps protect your WordPress site from several types of attacks:

1. Brute Force Protection: By blocking access to this file, you prevent attackers from using it to launch brute force attacks on your site.
2. DDoS Mitigation: Blocking xmlrpc.php can reduce the risk of DDoS attacks by preventing attackers from exploiting this file to overload your server with requests.
3. Improved Site Performance: Blocking unnecessary requests to xmlrpc.php can reduce server load, improving overall performance and ensuring legitimate traffic gets the resources it needs.
4. Reduced Attack Surface: By eliminating access to a commonly targeted file, you reduce the attack surface of your WordPress site, making it harder for attackers to find and exploit vulnerabilities.

Conclusion

Securing your WordPress site on Azure is essential to maintaining its performance and protecting it from cyber threats. By blocking access to xmlrpc.php using Azure Front Door’s WAF, you can defend against common attack vectors such as brute force and DDoS attacks, enhancing the overall security of your site. Azure Front Door’s custom rules and powerful WAF features make it easy to implement these protections, ensuring your WordPress site remains secure, responsive, and reliable for your users.

At KloudStack, we specialize in offering secure, high-performance hosting solutions for WordPress sites on Azure. If you need help configuring Azure Front Door WAF or have other security concerns, our team is here to assist you. Reach out to us today and let us help you secure your WordPress site.