Block common WordPress attacks
There are two files commonly used for WordPress brute force attacks: xmlrpc.php and wp-login.php. This article will detail how you can block these attacks.
Warning: Not all IPs are malicious! Blocking the wrong IP may cause downtime (ie. blocking a CDN IP).
How can I stop a xmlrpc attack?
- Use a plugin to disable xmlrpc.
- Disable xmlrpc.php via the
.htacessfile.
In your .htaccess file, add this code:
<Files xmlrpc.php>
Order Allow,Deny
Deny from all
</Files>
Did it work?
If you properly blocked access to xmlrpc.php, the access log will have entries similar to:
[Tue Aug 02 02:37:11.052622 2022] [authz_core:error] [pid 1449:tid 140380133652224] [client 220.85.221.65:51590] AH01630: client denied by server configuration: /var/www/vhosts/acoolexample.com/httpdocs/xmlrpc.php [Tue Aug 02 02:37:11.962665 2022] [authz_core:error] [pid 1449:tid 140380007773952] [client 134.122.112.76:51696] AH01630: client denied by server configuration: /var/www/vhosts/acoolexample.com/httpdocs/xmlrpc.php [Tue Aug 02 02:37:14.016124 2022] [authz_core:error] [pid 1329:tid 140380243957504] [client 14.232.245.48:51854] AH01630: client denied by server configuration: /var/www/vhosts/acoolexample.com/httpdocs/xmlrpc.php
How can I stop a wp-login.php (wp-admin) attack?
- Use a plugin to limit login attempts.
- Limit access to the WordPress login page by IP address via the
.htacessfile.
In your .htaccess file, add this code:
<Files wp-login.php>
order deny,allow
allow from xx.xxx.xx.xxx
deny from all
</Files>
Note: Each authorized IP (you, your developer, etc.) will need to have an allow rule added.
Next Steps
Here are some other suggestions you may use to help block malicious traffic:- Block IPs in the server's firewall
- Change the default user from 'admin' to another name
- Block access to xmlrpc.php and/or wp-login.php in the Apache configuration