This is the most specific solution I could find as it disables only the single function being attacked.
functions.php:
function Remove_Unneeded_XMLRPC( $methods ) {
unset( $methods['wp.getUsersBlogs'] );
return $methods;
}
add_filter( 'xmlrpc_methods', 'Remove_Unneeded_XMLRPC' );
found this at: http://www.cryptobells.com/more-wordpress-xmlrpc-brute-force-attacks/
For a broader solution there is a WordPress plugin called “Disable XML-RPC” which does precisely that, disables the entire XML-RPC functionality.
Related Posts:
- Best way to eliminate xmlrpc.php?
- How to secure WordPress XMLRPC?
- How to disable XML-RPC from Linux command-line in a total way?
- XML-RPC errors they know my username?
- XMLRPC slow and weird websites/services
- Can I Remove xmlrpc.php completely?
- Checking for origin of a xmlrpc request
- SSL Error: unable to get local issuer certificate
- When you use ‘badidea’ or ‘thisisunsafe’ to bypass a Chrome certificate/HSTS error, does it only apply for the current site? [closed]
- Why does the URL http://a/%%30%30 crash Google Chrome?
- When you use ‘badidea’ or ‘thisisunsafe’ to bypass a Chrome certificate/HSTS error, does it only apply for the current site?
- Can an attacker use inspect element harmfully?
- Where does Internet Explorer store saved passwords?
- WordPress 4.7.1 REST API still exposing users
- Should I escape wordpress functions like the_title, the_excerpt, the_content
- Why does WordPress need my private ssh key to update?
- When to use esc_html and when to use sanitize_text_field?
- Why does WordPress have more than one salt?
- What is the ideal setup to address security concerns?
- Will there be security updates for 3.1 once 3.2 is released?
- WordPress it’s cleaning a custom query_var to avoid sql injections?
- Tips for finding SPAM links injected into the_content
- Close a wordpress blog – keep site as it is but prevent hacks
- Is WordPress vulnerable to the httpoxy?
- Prevent setup-config.php page from appearing when host blocks database
- How to get WordPress to save upload file beyond web root [closed]
- WordPress and Security
- Is security a problem in WordPress?
- Moving wordpress out of the public directory
- Is /wp-login.php?redirect_to[] exploitable?
- Logout via Subdomain, non-wordpress page on a different server?
- brute force attack even though it is limited by IP
- What should I do about hacked server?
- How do I authenticate WP users from a chrome extension?
- Can’t reset WordPress password
- Website is being flooded [closed]
- Should I Worry About SQL Injection When Using wp_insert_post?
- XMLRPC filtering through htaccess not working
- Auth cookie value security risk?
- Is there a way for a user to have an alias?
- Security – Shortcode injection attack
- Registration Plugin – Recaptcha integration
- Security threat with `home_url`?
- How to combat flooding admin-ajax.php?
- Moving away from MD5: Where to declare the custom global $wp_hasher?
- Would it be dangerous to send all the wp_options to javascript file?
- Frequently getting attacks on admin-ajax.php, wp-cron.php, xmlrpc.php and wp-login.php
- Should I disable directory listing for wp-includes?
- Safety side of storing emoji into database
- Verifying that I have fully removed a WordPress hack?
- Large Session Tokens
- How can I safely hide the fact that my website runs on WordPress? [closed]
- How to change permissions of WordPress and/or apache on macOS securely?
- How can I display nickname instead username in links
- My WordPress Websites are always under attack
- Is there value in using a wp_nonce for POST requests?
- Using an Encryption class in a WordPress Plugin
- How to hide easy access to my website temporarily?
- Config file with no Keys..?
- How much should I worry about these messages?
- Uploading .webm format on WordPress results in security guidline breach and fail
- Any any insecure http:// URLs left in wordpress?
- White screen of death on admin pages after moving wp-config up two levels for security
- Session Cookie security questions
- Storing FTP details in wp-config.php
- Can a WordPress administrator see other users’ passwords?
- Why my plugins are updating automatically?
- Spam injected in w3 total cache page cache [closed]
- Privilege escalation bugs in 2.9?
- Content-Security-Policy blocks WordPress check boxes from being activated
- How to distinguish between a hack and an encoding error?
- Prevent editor from adding script or form
- How to change location of wp-config.php to folder or 2 folders up?
- Finding where a snippet of code is coming from
- wordpress admin security
- Remove hacked code – out of ideas! [closed]
- Why do people use “admin” username by default? [closed]
- WordPress Database Re-installed (Hacked)
- WordPress Security tools
- Robots.txt file not updating
- Security: Critical backend outside of wordpress
- Advice On How to Backup WordPress
- How can I stop other plugins from using my class’ sensitive methods?
- What are WordPress Current Security Issues in 2017?
- wp-config.php moved above root results in no plugin updates
- Password-protect feed and make it usable in major aggregators
- WordPress exploited theme is causing high io load on server
- how to find the way they hacked my WP site
- How to set custom validation for WordPress Passwords?
- How to stop repeated hack on header.php of custom theme? [closed]
- is this code properly secured
- nginx + wordpress: Best practices for configuring it to be secure, reliable, and fast? [closed]
- How to get real password (before encrypt) when register a user?
- checking the form submit in right order
- Our security auditor is an idiot. How do I give him the information he wants?
- I am under DDoS. What can I do?
- SSH keypair generation: RSA or DSA?
- How do I protect my company from my IT guy? [closed]
- Does changing default port number actually increase security? [closed]
- WordPress – tracking options