4 Comments

  1. _ck_

    Always delete xmlrpc.php immediately from virtually all WP installs.
    It’s responsible for several of the security issues with WP over the years, and it also allows unlimited password attempts. You can live without the mostly spam trackbacks for the safety of it being gone.

    If you are on a dedicated or VPS (and you should be) I highly recommend the (free) configserver firewall http://configserver.com/cp/csf.html – it’s not just for cpanel anymore and it’s extremely good about blocking too many connections.

    Last but not least when you can’t solve a ddos, replace apache with something like litespeed which is a drop in replacement (uses httpd.conf and .htaccess files directly unlike nginx). There is a free version and it can weather a ddos when apache would be long dead. Even automattic uses litespeed to this very day.


  2. Ah…some of us *use* xml-rpc, which you need for offline editors like Windows Live Writer. I’ve been using it for years, and never come in for the kind of attack that hit Jeffro, which seems to have been bad luck as much as anything. (Well, that and lack of eptitude from his host.)

    Jeff, any idea who resides at that IP address or owns those domains? A competent hacker would be hiding several jumps back, and not likely traceable, but whoever it is deserves a smackdown.


  3. @_ck_ -

    Even automattic uses litespeed to this very day.

    I’m pretty sure that they switched to nginx in early 2008.

    There is a free version …

    No, there is a 15-day free trial. Then you get mugged.

    … and it can weather a ddos when apache would be long dead.

    Modern versions of Apache are fine if properly configured.

    HOWEVER, the whole discussion is pretty ridiculous, it only promotes the fantasy that you can have any control at all when you share a server with tens of thousands of people you don’t know.

  4. _ck_

    donnacha, I assure you, many automattic servers are still running LiteSpeed and it’s easy to prove based on certain responses to certain queries.

    There is no 15-day timeout on the free version of Litespeed, only the commercial version. The free version has a limit of 5 httpd.conf accounts and 100 simultaneous connections (1500 can be queued). It’s definitely not for everyone but something to try when a site outgrows apache.

    If starting from scratch I would definitely use nginx, but if you need a drop in apache replacement that can be done in less than an hour, use litespeed. It’s literally doubles the capacity of any server that was using apache. I am not a fan of the commercial price tag and I hope they feel the pressure from open source alternatives over time to reduce that.

    I do agree with you that shared hosting is a bad idea for any larger site. The wrong VPS environment can be just as bad because it’s a complete lie you are isolated from neighbors on the node. But not everyone can afford dedicated so the right VPS is a good solution.

Comments are closed.