WordPress xml-rpc: protection against bruteforce

Since WordPress 3.5, any installation has xml-rpc enabled by default, which is a very useful thing that allows you to use mobile apps to maintain your site, among other things.
However, the use of xml-rpc is a huge black hole, attracting rogues of all stripes, which massively start bruteforcing your cozy site; I felt it on my skin, when the load on the hosting has increased by half.  So I disabled xml-rpc a long time ago and lived happily ever after.
But still the moment of truth came and after I bought a new Android phone, the Thing immediately started to master mobile WordPress. I had to turn this xml-rpc on; immediately the attacks began. In the end, the easiest solution was to create a white list of IP addresses to access the file xmlrpc.php
How to do this:

1) go in via sFTP and edit the holy file .htaccess , adding the directive mod_authz_host
– for version apache 2.2:
<Files xmlrpc.php>
order deny,allow
allow from <ваш IP-адрес>
deny from all

– for version Apache 2.4:
<Files xmlrpc.php>
Require ip <ваш IP-адресс>

Свой IP адрес можно узнать спросив у гугла 🙂 В итоге, получится что-то вроде:
<Files xmlrpc.php>
Require ip

3) add this code anywhere in .htaccess , save it and voila!
Now only your IP can access xml-rpc. If you want, you can prescribe the port as well.
I will be glad to hear your comments!

This entry was posted in Apache (en), CMS (en), Wordpress (en). Bookmark the permalink.

Leave a Reply

🇬🇧 Attention! Comments with URLs/email are not allowed.
🇷🇺 Комментарии со ссылками/email удаляются автоматически.