This looks like a spam bot or an enumeration rather than a DDoS attack. To be sure, you should look into your resource consumption, the dynamic of IP addresses and maybe the payloads.
1. Blocking access to xmlrpc.php
file.:
I think you shouldn’t:
- It cannot help you survive a real DDoS attack.
- As @cybmeta said, it might break many third party services.
- Allow access from certain IPs also doesn’t help because IP can be faked and you cannot list all IPs which will use XML-RPC service.
I often log all IPs which make requests to xmlrpc.php
, use iptables to setup rate limit. Then, block IPs which are surely evil.
2. How to know if your site is using xmlrpc.php
- Functions and resources in WordPress which use XML-RPC service have
xmlrpc
string in functions’ name or files’ name so you can skim through your theme and plugins to check if there’re any matches. - All XML-RPC requests in WordPress go through
xmlrpc.php
whichdefine('XMLRPC_REQUEST', true)
so you can use:
if ( defined('XMLRPC_REQUEST') && XMLRPC_REQUEST ) {
// Log something.
// Or exit immediately if something is evil in the request.
}
Note that you cannot use the code in theme/plugin files. xmlrpc.php
is independent from themes and plugins so you must put it in your wp-config.php
file.