Lots visit on wp-login.php and xmlrpc.php
-
Hello everyone. I’m a total newbie and an email woke me up about an hour ago when someone tried to login into my website’s back-end. I check at Wordfence’s Live Activity and i’m receiving a big amount of visits on /wp-login.php and xmlrpc.php from all over the world (Czech Republic, Malaysia, South Africa, China, Israel, Egypt and so on ).
What’s goin on ? Is someone brute-forcing/DDoSing me ?
Any help would be appreciated
-
Thanks for the bluebearmedia, i’ve change the login page and i block everyone that’s visiting ‘/wp-login.php’ or ‘/xmlrpc.php’. They don’t seem to be able to do something for now but on Live Traffic i can see that they keep coming.
Any idea why they’re visiting first ‘/xmlrpc.php’ and then ‘/wp-login.php’ ?
I took this photo earlier in the morning. Since then i’m blocking everyone visiting those two pages.
” i block everyone that’s visiting ‘/wp-login.php’ or ‘/xmlrpc.php’”
Are you saying you’ve added those to the “Block immediately” list and they’re still not showing as being blocked in the Live Traffic?
When it’s working properly, what should appear in the Live Traffic is “NNNNNNNN, United States was blocked: Accessed a banned URL. at nnnnnnnnn.com/wp-login.php” for any link listed in the “immediately block” list.
If that’s not happening, then WF support needs to step in on this one!
That’s fine if they use different IPs – they’d all get blocked…. however, with that kind of attack, the blocked IP list will fill up very quickly, causing website resource issues for you.
The better approach for continual wp-login or xmlrpc attacks is block them right at the htaccess level, before they even hit your website. Basically, completely disallow access to the wp-login and xmlrpc URLs, right from htaccess.
(For actual DDOS attacks, you may have to get your host server involved, as they can completely cripple a server by overloading its response resources, independent of any websites on it).
mrpowerup, that is indeed the usual way, that will block the bots before they get to Wordfence. Just be sure you have access to edit your .htaccess file in case your WP Hide Login plugin quits working and you need to access the normal login URL to admin your WordPress site. As with all this sort of thing, test yourself by making a temporary file on your server, then access without a .htaccess block, then add the .htaccess block and test again.
On the other hand, for fun and education, you can instead add wp-login.php to your WordFENCE “Immediately block IPs that access these URLs” in your Wordfence options. This will act as a “honey pot” and you’ll get to easily see what those bots are doing.
Another tweak: If you’re getting thousands of blocked bot hits via Wordfence, it’s a good idea to modify your Wordfence blocked message so it gives less information and uses less bandwidth. It’s a ridiculously cumbersome and information heavy file that is unneeded once you have some experience with Wordfence, WordPress and .htaccess. The file is /plugins/wordfence/lib/wf503.php I change mine to have NO php, NO live links, and just 25 or so words of explanation. Sadly, wf503.php gets written over each time there is one of the rather numerous Wordfence updates. Hopefully the folks at Wordfence will eventually build in a feature that allows use of custom block message files.
MTN
- The topic ‘Lots visit on wp-login.php and xmlrpc.php’ is closed to new replies.
