This isn’t something new. SANS ISC reported on this 2 years ago. The bad guys love anything that can be used in a reflection DoS and the WordPress XML-RPC functionality is a prime candidate. There are various ways to disable it, through WordPress plugins for example, or by hacking away at code. All of these are fine if you’re in control over what gets installed on the web server. In a shared hosting environment you’ve got to rely on your users.

Running Apache you can disable XML-RPC globally and simply with the following:

# Disable access to xmlrpc.php for WordPress.
# Apart from localhost and our own IP address.
<Files xmlrpc.php>
        Require ip 127.0.0.1 1.2.3.4
</Files>

The configuration should be placed as part of the global Apache configuration. When any file called xmlrpc.php is requested, on any vhost, from an IP address not listed by the Require ip line, an Error 403 Forbidden will be served instead. This configuration should ensure that WordPress plugins like Jetpack continue to work.

I’ve seen a few examples where even after doing this the bad guys still continuously request xmlrpc.php even though they’re being served a 403 error. To further protect the web server fail2ban can be deployed.

Firstly create a filter definition:

[Definition]
failregex = ^<HOST> -.*"(GET|POST).*\/xmlrpc\.php.* HTTP\/.*
ignoreregex =

Then create the jail:

[apache-xmlrpc]
enabled = true
filter = apache-xmlrpc
port = http,https
logpath = /opt/logs/www/*/www/*/logs/access.log
maxretry = 3

Now when someone requests xmlrpc.php 3 times within the defined findtime their IP address will be blocked.