Skip to main content

Stopping xmlrpc.php Hacking and DOS Bot Attacks

By February 25, 2016March 5th, 2021Blog, Technology


I’ve had WordPress performance issues lately dealing with site crawlers and bots hammering my sites. After digging into the server logs i’ve found most of these bots are originating from Russia, Asia and South America. Some of these hammer the xmlrpc.php file and others just constantly scan the site almost acting like a DOS (Denial of Service) Attack.

There are a few site and server level things that can be done to harden your security and stop these types of crawlers from killing your bandwidth and loading times.

Check your server logs.

If your xmlrpc.php file is getting hundreds if not thousands of hits per hour deny access to it. Either in the root .htaccess file to deny it for all sites on your server, or in the individual site .htaccess file if you run multiple sites on one server to deny it for just the affected site. Add this code:

# BEGIN protect xmlrpc.php
order allow,deny
deny from all
# END protect xmlrpc.php

Note: adding this code will prevent you from using the WordPress App by Automatic that allows you to manage your website on a mobile device.

Did you know you can block an entire country from viewing your website?

If your site is a US based company and only doing business in the US, then block access to all other countries. I tend to leave the US, Canada and Mexico as white listed and block all other contries. This tends to stop all the malicious attacks from places like Russia, China and South America that i’m pretty sure aren’t viewing my sites.

I found this tool that generates code for your .htaccess file simply by checking what country you want to block. I hope this helps someone.