xmlrpc & wp-login
====================================================================================
XMLRPC
Identifying the total number of xmlrpc requests:
grep -i 'xmlrpc' /path/to/access/log | cut -d ':' -f1 | sort | uniq -c | wc -l------------------------------------------------------------------------------------------------------------------------------------------------
Blocking/Disabling XMLRPC
Apache - .htaccess:
<Files ~ xmlrpc>
Order deny,allow
Deny from all
Allow from IP_IP_IP_IP #if required
</Files> nginx -
====================================================================================
WP-LOGIN
Identifying the total number of wp-login requests:
grep -i 'wp-login' /path/to/access/log | cut -d ':' -f1 | sort | uniq -c | wc -lBlocking/Disabling WP-LOGIN Access
Firstly, I personally recommend that all clients do the following:
- Change the wp-login admin URL
- Limit access to wp-login by IP
Changing wp-login URL:
Plugin: Changing the wp-login URL can be achieved using a plugin - such as 'Admin login URL Change'
Changing the wp-login.php file directly:
Edit the wp-login.php file and locate the string beginning with 'site_url':
action="<?php echo esc_url( site_url( 'wp-login.php?action=confirm_admin_email', 'login_post' ) ); ?>" method="post">
Following the site_url string in the example above, you'll see that wp-login.php is specified. Changing the string here will update the admin URL for that WordPress instance.
Limiting wp-login access by IP
Apache - .htaccess
<Files ~ wp-login>
Order deny,allow
Deny from all
Allow from IP_IP_IP_IP #if required
</Files> nginx -
No Comments