Securing xmlrpc

A couple of days ago I got an email from my hosting company saying that they had received complains from a third party about “attacks” from my server. They were very unclear about what the attacks were, but I investigated and discovered many hundreds of requests being made to my xmlrpc URL.

They were all coming from the same IP address, so I blocked that address. But a minute or so later they started up again from another address. Having repeated that process I few times, I got bored and just renamed my xmlrpc file.

That’s only a temporary solution though. I use the WordPress Android app, so I need access to xmlrpc (I think that’s correct – please let me know if I’m wrong).

So I have two questions:

1/ Is it possible to make xmlrpc available in a way that allows only authorised users to have access to it? What do other sites do to prevent this kind of abuse?

2/ Is it possible to see exactly what this attacker was doing? As the HTTP requests were POSTs, in the web sever access log I get no details of the parameters used. Are these logged somewhere by WordPress?

Any advice would be very welcome.

Thanks,

Dave…