How To Protect WordPress from XML-RPC Attacks

What is XML-RPC?
How To Protect WordPress from XML-RPC Attacks – WordPress utilizes XML-RPC to remotely execute functions. The popular plugin JetPack and the WordPress mobile application are two great examples of how WordPress uses XML-RPC. This same functionality also can be exploited to send thousands of requests to WordPress in a short amount of time. This scenario is effectively a brute force attack.

Recognizing an XML-RPC Attack
The two main ways to recognize an XML-RPC attack are as follows:
1) Seeing the “Error connecting to database” message when your WordPress site is down
2) Finding many entries similar to “POST /xmlrpc.php HTTP/1.0” in your web server logs
The location of your web server log files depends on what Linux distribution you are running and what web server you are running.

Mitigation xmlrpc ddos

Method 1: Installing the Jetpack Plugin
Ideally, you want to prevent XML-RPC attacks before they happen. The Jetpack plugin for WordPress can block the XML-RPC multicall method requests with its Protect function. You will still see XML-RPC entries in your web server logs with Jetpack enabled. However, Jetpack will reduce the load on the database from these malicious log in attempts by nearly 90%.

Method 2: How to Disable WordPress XML-RPC with .htaccess
While the above solution is sufficient for many, it can still be resource intensive for sites that are getting attacked.
In those cases, you may want to disable all xmlrpc.php requests from the .htaccess file before the request is even passed onto WordPress.
Simply paste the following code in your .htaccess file:

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from 111.222.333.444

Note : 111.222.333.444 is allowed IP

Method 3: Manually Blocking All XML-RPC Traffic
Alternatively, the XML-RPC block can manually be applied to your Apache or Nginx VirtualHost configuration.
Add this line into your vhost configuration and then restart the web server service
<files xmlrpc.php>
order allow,deny
deny from all

Block xmlrpc.php via NGINX

location = /xmlrpc.php {
    deny all;

That All and Good Luck