Skip to main content
Call us
Phone numbers and hours
Help Center

Explore our online help resources

BlogHelp

GoDaddy Help

Block common WordPress attacks

There are two files commonly used for WordPress brute force attacks: xmlrpc.php and wp-login.php. This article will detail how you can block these attacks.

Warning: Not all IPs are malicious! Blocking the wrong IP may cause downtime (ie. blocking a CDN IP).

How can I stop a xmlrpc attack?

  • Use a plugin to disable xmlrpc.
  • Disable xmlrpc.php via the .htacess file.

  • In your .htaccess file, add this code:
    <Files xmlrpc.php>
    Order Allow,Deny
    Deny from all
    </Files>

Did it work?

If you properly blocked access to xmlrpc.php, the access log will have entries similar to:

[Tue Aug 02 02:37:11.052622 2022] [authz_core:error] [pid 1449:tid 140380133652224] [client 220.85.221.65:51590] AH01630: client denied by server configuration: /var/www/vhosts/acoolexample.com/httpdocs/xmlrpc.php
[Tue Aug 02 02:37:11.962665 2022] [authz_core:error] [pid 1449:tid 140380007773952] [client 134.122.112.76:51696] AH01630: client denied by server configuration: /var/www/vhosts/acoolexample.com/httpdocs/xmlrpc.php
[Tue Aug 02 02:37:14.016124 2022] [authz_core:error] [pid 1329:tid 140380243957504] [client 14.232.245.48:51854] AH01630: client denied by server configuration: /var/www/vhosts/acoolexample.com/httpdocs/xmlrpc.php

How can I stop a wp-login.php (wp-admin) attack?

  • Use a plugin to limit login attempts.
  • Limit access to the WordPress login page by IP address via the .htacess file.

  • In your .htaccess file, add this code:
    <Files wp-login.php>
    order deny,allow
    allow from xx.xxx.xx.xxx
    deny from all
    </Files>
Note: Each authorized IP (you, your developer, etc.) will need to have an allow rule added.

Next Steps

Here are some other suggestions you may use to help block malicious traffic:
  • Block IPs in the server's firewall
  • Change the default user from 'admin' to another name
  • Block access to xmlrpc.php and/or wp-login.php in the Apache configuration