On Thu, Oct 2, 2014 at 11:52 AM, jwyeth.arch@gmail.com wrote:
Disabling XMLRPC completely via wp-config.php is quite easy.. I can send required info when I'm in front of a computer. You can also use an .htaccess rule for Apache to stop requests completely. I'm sure there's also rules for Nginx, lighttpd, etc that can be found quite easily via Google. Surprised most people don't have this disabled/blocked already.
+1
I wrote an Apache rewrite rule (saved it in a separate file) that I can include on any WordPress sites getting hammered by requests to xmlrpc. There's also wp-login as well that gets brute forced from time to time.
I was kicking back a HTTP 410 (gone, as opposed to 403 or 404). Of course they're stupid bots, so they keep hammering away!
With some ISPs using NAT, I prefer the rewrite rule solution ... that way it stops the requests and doesn't block the IP entirely. Pros and cons of course, but I prefer a conservative approach first rather than a heavy handed one.