GoDaddy Help

Block common WordPress attacks

There are two files commonly used for WordPress brute force attacks: xmlrpc.php and wp-login.php. This article will detail how you can block these attacks.

Warning: Not all IPs are malicious! Blocking the wrong IP may cause downtime (ie. blocking a CDN IP).

How can I stop a xmlrpc attack?

  • Use a plugin to disable xmlrpc.
  • Disable xmlrpc.php via the .htacess file.

  • In your .htaccess file, add this code:
    <Files xmlrpc.php>
    Order Allow,Deny
    Deny from all
    </Files>

Did it work?

If you properly blocked access to xmlrpc.php, the access log will have entries similar to:

[Tue Aug 02 02:37:11.052622 2022] [authz_core:error] [pid 1449:tid 140380133652224] [client 220.85.221.65:51590] AH01630: client denied by server configuration: /var/www/vhosts/acoolexample.com/httpdocs/xmlrpc.php
[Tue Aug 02 02:37:11.962665 2022] [authz_core:error] [pid 1449:tid 140380007773952] [client 134.122.112.76:51696] AH01630: client denied by server configuration: /var/www/vhosts/acoolexample.com/httpdocs/xmlrpc.php
[Tue Aug 02 02:37:14.016124 2022] [authz_core:error] [pid 1329:tid 140380243957504] [client 14.232.245.48:51854] AH01630: client denied by server configuration: /var/www/vhosts/acoolexample.com/httpdocs/xmlrpc.php

How can I stop a wp-login.php (wp-admin) attack?

  • Use a plugin to limit login attempts.
  • Limit access to the WordPress login page by IP address via the .htacess file.

  • In your .htaccess file, add this code:
    <Files wp-login.php>
    order deny,allow
    allow from xx.xxx.xx.xxx
    deny from all
    </Files>
Note: Each authorized IP (you, your developer, etc.) will need to have an allow rule added.

Next Steps

Here are some other suggestions you may use to help block malicious traffic:
  • Block IPs in the server's firewall
  • Change the default user from 'admin' to another name
  • Block access to xmlrpc.php and/or wp-login.php in the Apache configuration

Share this article