Block XML-RPC for WordPress using Cloudflare
I recently had a spate of login attempts on multiple sites all trying to login using xml-rpc.
Sometimes hundreds of requests per day.
After doing a bit of research, I found that an effective method to block this was to use Cloudflare. As my sites are already managed on Cloudflare free, I could quickly block this attack.
I followed this helpful guide.
The updated instructions for the method are:
In the Cloudflare domain dashboard click on WAF then Create Rule.
Give your rule a name, any name.
Set up the rule as follows:
- in “Field” select “URI Path”
- Operator “contains”
- Value “/xmlrpc.php
- then click “AND”
- in “Field” select “Request Method”
- Operator “equals”
- Value “Post”
- Then under “Then take action…” select Block
- Finally, click “Deploy”