WordPress xml-rpc: protection against bruteforce


Since WordPress 3.5, any installation has xml-rpc enabled by default, which is a very useful thing that allows you to use mobile apps to maintain your site, among other things.
 
However, the use of xml-rpc is a huge black hole, attracting rogues of all stripes, which massively start bruteforcing your cozy site; I felt it on my skin, when the load on the hosting has increased by half.  So I disabled xml-rpc a long time ago and lived happily ever after.
 
But still the moment of truth came and after I bought a new Android phone, the Thing immediately started to master mobile WordPress. I had to turn this xml-rpc on; immediately the attacks began. In the end, the easiest solution was to create a white list of IP addresses to access the file xmlrpc.php
 
How to do this:


1) go in via sFTP and edit the holy file .htaccess , adding the directive mod_authz_host
– for version apache 2.2:
<Files xmlrpc.php>
order deny,allow
allow from <ваш IP-адрес>
deny from all
</Files>

– for version Apache 2.4:
<Files xmlrpc.php>
Require ip <ваш IP-адресс>
</Files>

Свой IP адрес можно узнать спросив у гугла 🙂 В итоге, получится что-то вроде:
<Files xmlrpc.php>
Require ip 64.233.191.21
</Files>

3) add this code anywhere in .htaccess , save it and voila!
 
Now only your IP can access xml-rpc. If you want, you can prescribe the port as well.
 
I will be glad to hear your comments!

This entry was posted in Apache (en), CMS (en), Wordpress (en). Bookmark the permalink.

Leave a Reply

🇬🇧 Attention! Comments with URLs/email are not allowed.
🇷🇺 Комментарии со ссылками/email удаляются автоматически.