Brute Force attacks against any CMS these days is a common occurrence. One of these attackes is XML-RPC attack.

WordPress utilizes XML-RPC to remotely execute functions.

TheĀ attack is being made possible because WordPress allows calls to XML-RPC to be stacked, using system.multicall. This allows the server to be quickly overwhelmed by calls.

More information on this can be found here:

https://blog.sucuri.net/2015/10/brute-force-amplification-attacks-against-wordpress-xmlrpc.html

To check if your website is having XML-RPC attack, check the access log of your web server. For apache on Linux, you need to check:

/var/log/apache2/access.log

You are under attack if you find entries similar to:

POST /xmlrpc.php HTTP/1.0

To protect your website fromĀ attack, we can do any of the following:

  1. Install Jetpack plugin in your WordPress installation
  2. Manually block all XML-RPC traffic
    For this, on Apache/Linux, add following entries to the file:

    /etc/apache2/sites-available/000-default.conf
    <VirtualHost>
        ...
        <files xmlrpc.php>
            order allow,deny
            deny from all
        </files>
    </VirtualHost>

    Now, restart your web server and you are good to go.