Instead of completely disabling XML-RPC, I’d suggest disabling pingbacks only, as it’s the main vector of attack for spammers at the moment:
http://blog.sucuri.net/2014/03/more-than-162000-wordpress-sites-used-for-distributed-denial-of-service-attack.html
You can use this small plugin to disable pingbacks:
https://ww.wp.xz.cn/plugins/disable-xml-rpc-pingback/
Thanks I didn’t see that one. I will try it on some sites.
My solution for now was confirm with one of my app/publishing partners what their dedicated IP address is so I could ALLOW via the htaccess file. They have one so that’s what I have done (and DENY all others). Also at server level am putting in some custom code with IPtables to further restrict badguys from the server in general.
For record I use Jetpack and have been looking to see what functionality I have lost but have not found any so far. I know they can’t access xmlrpc.
Thanks Jeremy
Craig
You could whitelist Jetpack’s IP addresses as well, but these are subject to change so things will break whenever we change our IP addresses in the future. It also becomes a pain whenever you want to use a new plugin or service. For these reasons, I usually do not recommend whitelisting.
But in case you still need them, most of our IPs can be found here:
http://whois.arin.net/rest/org/AUTOM-93/nets
You’ll also need to 185.64.140.0/22 and a04:fa80::/29 to the list.
I’ve pulled the htaccess whitelist and just have anti-pingback enabled. I’ll monitor and see how many process vamps latch onto apache. There are 3 or 4 at a time starting thread but then dying so maybe this will work.
Thanks Jeremy
