In the last days my blog was under heavy attack on the WordPress xmlrpc.php file, a function that is one of the most common causes for exploits.
As a first measure I tried wordpress plug-ins like “Disable XML-RPC Pingback” and “Disable XML-RPC”. Unfortunately both plugins were not a solution against the attack.
So I decided to delete the xmlrpc file – a workaround that was ok until the automatic wordpress update was executed. The update rebuilt the xmlrpc.php file and the attack started again.
Finally I found a solution that worked (for me):
I use a .htaccess file to block all requests made to the xmlrpc.php.
Just add the following lines to a .htaccess file:
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>
Disadvantages:
Most users do not need the functionality of the XML-RPC. But some apps like the WordPress Mobile App needs it to work properly.