On Thu, 2 Oct 2014, jwyeth.arch at gmail.com wrote: > Disabling XMLRPC completely via wp-config.php is quite easy.. I can > send required info when I'm in front of a computer. You can also use > an .htaccess rule for Apache to stop requests completely. I'm sure > there's also rules for Nginx, lighttpd, etc that can be found quite > easily via Google. Surprised most people don't have this > disabled/blocked already. Another good trick to keep IP-based scanners off your back is to make sure that all HTTP requests have a valid Host: header. In Apache, it's easy. The first-listed <VirtualHost> declaration is the default if a client fails to provide a Host: header in the request. So the initial Virtual host is basically a deny-all container, e.g., <VirtualHost *:80> ServerSignature off <Location /> <RequireAny> Require local Require ip [some administrative IP addr] </RequireAny> </Location> </VirtualHost> <VirtualHost *:80> ServerName www.you.com # the real work happens here ... </VirtualHost> For extra credit, you can write a fail2ban filter that scans the default ErrorLog for telltale signs of IP-based scanning (watch out for unintended line-wrapping in the example below). # /etc/fail2ban/filter/apache-iponly.conf [DEFAULT] _apache_error_msg = \[[^]]*\] \[\S*:error\] \[pid \d+\] \[client <HOST>(:\d{1,5})?\] [Definition] failregex = ^%(_apache_error_msg)s (AH0\d+: )?client denied by server configuration: (uri )?.*$ ^%(_apache_error_msg)s script '\S+' not found or unable to stat(, referer: \S+)?\s*$ -- Paul Heinlein heinlein at madboa.com 45°38' N, 122°6' W