I have seen many WordPress websites getting xmlrpc.php attack. This is actually a type of brute force attack. Attackers try to login to your WordPress website using xmlrpc.php
xmlrpc.php attack is also known as XML-RPC Attack. If your website is under this attack you will see many entries of POST type to /xmlrpc.php
POST /xmlrpc.php
See below log of a WordPress website under xmlrpc.php attack.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 | 160.153.154.140 - - [23/Jul/2019:05:55:59 -0700] "POST /xmlrpc.php HTTP/1.1" 200 403 "-" "Windows Live Writter" 178.128.124.65 - - [23/Jul/2019:07:33:16 -0700] "POST /xmlrpc.php HTTP/1.1" 200 403 "-" "Windows Live Writter" 202.182.122.233 - - [23/Jul/2019:08:02:27 -0700] "POST /xmlrpc.php HTTP/1.1" 404 8034 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 198.71.230.48 - - [23/Jul/2019:09:35:26 -0700] "POST /xmlrpc.php HTTP/1.1" 200 403 "-" "Windows Live Writter" 182.50.132.89 - - [23/Jul/2019:10:20:35 -0700] "POST /xmlrpc.php HTTP/1.1" 200 403 "-" "Windows Live Writter" 138.201.123.88 - - [23/Jul/2019:10:56:02 -0700] "POST /xmlrpc.php HTTP/1.1" 200 403 "-" "Poster" 89.46.106.95 - - [23/Jul/2019:11:31:03 -0700] "POST /xmlrpc.php HTTP/1.1" 200 403 "-" "WordPress" 107.180.109.28 - - [23/Jul/2019:11:59:00 -0700] "POST /xmlrpc.php HTTP/1.1" 200 403 "-" "Poster" 184.154.206.2 - - [23/Jul/2019:12:30:35 -0700] "POST /xmlrpc.php HTTP/1.1" 200 403 "-" "Windows Live Writter" 178.128.23.162 - - [24/Jul/2019:01:24:56 -0700] "POST /xmlrpc.php HTTP/1.1" 404 8034 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 185.2.5.32 - - [24/Jul/2019:01:33:45 -0700] "POST /xmlrpc.php HTTP/1.1" 404 8034 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 54.39.148.97 - - [24/Jul/2019:01:54:19 -0700] "POST /xmlrpc.php HTTP/1.1" 404 8034 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 138.197.109.199 - - [24/Jul/2019:02:08:09 -0700] "POST /xmlrpc.php HTTP/1.1" 404 8034 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 107.189.3.58 - - [24/Jul/2019:02:16:48 -0700] "POST /xmlrpc.php HTTP/1.1" 404 8034 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 75.119.200.105 - - [24/Jul/2019:02:29:21 -0700] "POST /xmlrpc.php HTTP/1.1" 404 8034 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 68.183.129.196 - - [24/Jul/2019:02:43:29 -0700] "POST /xmlrpc.php HTTP/1.1" 404 8034 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 51.255.83.71 - - [24/Jul/2019:02:53:31 -0700] "POST /xmlrpc.php HTTP/1.1" 404 8034 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 207.148.116.171 - - [24/Jul/2019:03:05:03 -0700] "POST /xmlrpc.php HTTP/1.1" 404 8034 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 1.10.140.44 - - [24/Jul/2019:03:16:52 -0700] "POST /xmlrpc.php HTTP/1.1" 404 8034 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 132.148.105.132 - - [24/Jul/2019:03:28:25 -0700] "POST /xmlrpc.php HTTP/1.1" 404 8034 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 66.45.245.146 - - [24/Jul/2019:03:39:54 -0700] "POST /xmlrpc.php HTTP/1.1" 404 8034 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 165.22.83.3 - - [24/Jul/2019:03:53:08 -0700] "POST /xmlrpc.php HTTP/1.1" 404 8034 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 103.221.222.251 - - [24/Jul/2019:04:52:59 -0700] "POST /xmlrpc.php HTTP/1.1" 404 8034 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 46.105.115.15 - - [24/Jul/2019:05:04:22 -0700] "POST /xmlrpc.php HTTP/1.1" 404 8034 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" |
How to protect WordPress website from xmlrpc.php attack
Just copy paste below code in .htaccess file located in WordPress root directory.
1 2 3 4 5 | # Block WordPress xmlrpc.php requests <Files xmlrpc.php> order deny,allow deny from all </Files> |
Hope this article was helpful to you.