Since WordPress 3.5, any installation has xml-rpc enabled by default, which is a very useful thing that allows you to use mobile apps to maintain your site, among other things.
However, the use of xml-rpc is a huge black hole, attracting rogues of all stripes, which massively start bruteforcing your cozy site; I felt it on my skin, when the load on the hosting has increased by half. So I disabled xml-rpc a long time ago and lived happily ever after.
But still the moment of truth came and after I bought a new Android phone, the Thing immediately started to master mobile WordPress. I had to turn this xml-rpc on; immediately the attacks began. In the end, the easiest solution was to create a white list of IP addresses to access the file xmlrpc.php
How to do this:
1) go in via sFTP and edit the holy file .htaccess , adding the directive mod_authz_host
– for version apache 2.2:
allow from <ваш IP-адрес>
deny from all
– for version Apache 2.4:
Require ip <ваш IP-адресс>
Свой IP адрес можно узнать спросив у гугла 🙂 В итоге, получится что-то вроде:
Require ip 220.127.116.11
3) add this code anywhere in .htaccess , save it and voila!
Now only your IP can access xml-rpc. If you want, you can prescribe the port as well.
I will be glad to hear your comments!