Block XML-RPC for WordPress using Cloudflare
I recently had a spate of login attempts on multiple sites all trying to login using xml-rpc.
Sometimes hundreds of requests per day.
After doing a bit of research, I found that an effective method to block this was to use Cloudflare. As my sites are already managed on Cloudflare free, I could quickly block this attack.
I followed this helpful guide.
The updated instructions for the method are:
In the Cloudflare domain dashboard click on WAF then Create Rule.
![cloudflare waf dash Block XML-RPC for WordPress using Cloudflare cloudflare waf dash](https://iuseful.b-cdn.net/wp-content/uploads/2023/09/cloudflare-waf-dash-1024x445.jpg)
Give your rule a name, any name.
Set up the rule as follows:
- in “Field” select “URI Path”
- Operator “contains”
- Value “/xmlrpc.php
- then click “AND”
- in “Field” select “Request Method”
- Operator “equals”
- Value “Post”
- Then under “Then take action…” select Block
- Finally, click “Deploy”
![cloudflare waf clock xmprpc Block XML-RPC for WordPress using Cloudflare cloudflare waf clock xmprpc](https://iuseful.b-cdn.net/wp-content/uploads/2023/09/cloudflare-waf-clock-xmprpc-1024x624.jpg)