Thanks for your help. ??
Is that actually accomplishing anything? I mean, are you seeing just log entries or are the attackers actually getting in or causing a denial of service?
The reason I ask is that any site on the Internet will get attacked. Blocking that file is only necessary if you’re seeing an adverse effect of that POST activity. That’s only one attempted vector and if you look in your log you’ll see many other probes.
My attention was drawn to it, because I noticed a significant increase in bandwidth. There are 4,885 log entries just from that IP, attempting to post to xmlrpc.php. Each attempt resulted in 54,971 bytes, which isn’t much, but total is 268 Mb, the posts about every 2 seconds.
If you don’t need the functionality that xmlrpc.php provides (see Jan’s note), I’d block it even if you’re not seeing a performance hit just to avoid future problems and to rule it out as a factor if you are seeing a slow down.
Yes, I don’t need that functionality. I think it is used to post remotely. I have no need of that at all.
I will follow that article, so that no-one can post. It will then give a 403 or similar I guess. Will check through the database and see if anything was inserted.
