Block XML-RPC for WordPress using Cloudflare

I recently had a spate of login attempts on multiple sites all trying to login using xml-rpc.

Sometimes hundreds of requests per day.

After doing a bit of research, I found that an effective method to block this was to use Cloudflare. As my sites are already managed on Cloudflare free, I could quickly block this attack.

I followed this helpful guide.

The updated instructions for the method are:

In the Cloudflare domain dashboard click on WAF then Create Rule.

cloudflare waf dash

Give your rule a name, any name.

Set up the rule as follows:

  1. in “Field” select “URI Path”
  2. Operator “contains”
  3. Value “/xmlrpc.php
  4. then click “AND”
  5. in “Field” select “Request Method”
  6. Operator “equals”
  7. Value “Post”
  8. Then under “Then take action…” select Block
  9. Finally, click “Deploy”
cloudflare waf clock xmprpc

Similar Posts