Fail2Ban or similar (CrowdSec, Denyhosts, IPBanPro) are apps that can block access to your server based on rules. There are some built in rules, but you can also add your own.
WordPress gets hammered on XML-RPC if you have it active. If you don’t need it then you should definitely turn it off. Basically XML-RPC allows your WordPress instance to communicate, which means you can authorise mobile apps, desktop software, or other sites to access/post to your site, great if you have a custom mobile app and don’t want to use the built in editing.
However, your site can be brought down by a denial of service attack, or bots can hammer away with authentication attempts. This can slow or kill your site, and possibly give away login details. Also, your server logs can bloat out by megabytes … freaking 16000 attempts in one hour is a lot of log file.
Anyway, if you’re a Linux nerd you’ll probably know that there are plenty of utilities that can help you detect and cut off these net goblins reasonably effectively. I’m assuming that you have already installed (apt / yum /zypper) fail2ban. With fail2ban, you need to define the rule (xmlrpc.conf) and the actions using that rule (jail.local). This tells fail2ban to check to see if an ip has accessed the xmlrpc.php 10 times or more in the last 120minutes, then “jail” that IP address for a day (86400 seconds).
nano /etc/fail2ban/jail.local
|
nano /etc/fail2ban/filter.d/xmlrpc.conf
failregex = ^ .* "POST .*xmlrpc.php |
Note that, depending on your Linux version and flavour, the files may be located in a different folder, and your log may be using a different format, I use “combined”, so you might need to play with regex but you get the idea.