Sneaky Hackers: How I Fixed the xmlrpc.php Problem

References:

Recently I noticed a flood of xmlrpc.php POSTs in my Apache access_log for a new WordPress site just deployed, using a Bitnami image on AWS Lightsail. Basically it was flooding the site a few times every second! Eventually it gets overloaded and shuts down Apache.

xmlrpc access log
xmlrpc access log

After doing a bit of research, aka… I checked Google, I learned this is a known problem. In a nutshell, hackers can use xmlrpc.php for botnets, brute force attacks, etc. Although there is some value with xmlrpc.php within WordPress (pingbacks, etc), I was not using that functionality.

I addressed the issue with the iThemes Security plugin. Easy to install and configure, it only took a few minutes to make the site much more secure, including two-factor authentication, brute-force login attempt lockout, etc.

iThemes Security
iThemes Security

For the xmlrpc issue, be sure to go into Settings -> Advanced -> API Access – XML-RPC – select Disable XML-RPC, and also for REST-API -> select Restricted Access.

Disable XML-RPC
Disable XML-RPC

Within only a couple days, the plugin has already locked out a few bad IPs attempting brute force attacks. No problems with the XMLRPC floods since, fingers crossed.