Preventing attacks on WordPress xmlrpc.php and wp-login.php

I noticed once on some servers with WordPress sites a large number of calls to the file xmlrpc.php and wp-login.php

As it turned out, someone tried to pick up a password and gain access to the site, usually such things block Jetpack, limited access to the IP in the admin area of the web server, but for some reason, there was no protection.

To count the number of accesses to a file in the logs, you can use the command:

grep 'xmlrpc.php' /var/log/apache2/access.log | wc -l

By the way, the command above can be performed for example from the monitoring system Zabbix , draw a graph on the received data, and also notify of an increase in the number of hits.

Count the number for each IP and list the following:

grep 'xmlrpc.php' /var/log/apache2/access.log | cut -d' ' -f1 | sort | uniq -c | sort -r

Count the number for each IP and list for the wp-login.php file:

grep 'wp-login.php' /var/log/apache2/access.log | cut -d' ' -f1 | sort | uniq -c | sort -r
grep 'wp-login.php' /var/log/apache2/access.log | awk '{print $1}' | sort -n | uniq -c | sort -nr | head -20

In the apache2 configuration or through the .htaccess file, you can restrict access to /wp-admin/ by IP, for example:

<Directory /var/www/site/wp-admin/>
  Options -Indexes
  AllowOverride All
  Order allow,deny
  allow from 127.0.0.1 192.168.11.25
</Directory>

Completely deny access to files like this:

<Files wp-login.php>
Order Deny,Allow
Deny from all
</Files>
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>

If you use for example Jetpack, then it is better not to limit wp-login.php, as there can be errors when updating the plug-in and will affect its operation.
In this case, you can activate password protection in the Jetpack settings.

If Jetpack is not in use, you can install other plug-ins, for example, “WP Limit Login Attempts”, which displays captcha during authorization, and also blocks incorrect login attempts.
For example, the “Disable XML-RPC Pingback” plug-in can disable XML-RPC functions if they are not needed.

Also in the robots.txt file, you can prevent indexing by the search engines of these files:

User-agent: *
Disallow: /xmlrpc.php
Disallow: /wp-login.php

Leave a Reply