I got an automated alert on Sunday from my ISP noting high GPU usage on a Wordpress site with a couple of sub-domains. After checking their dashboard, I noticed that there were over 60,000 attempts to access xmlrpc.php, mostly from France and Serbia. I generally only need this for the Jetpack plugin, so for now I have just blocked access with a firewall rule, which seems to be working (GPU usage way down and access attempts listed in the CF log). However, I thought that Cloudflare was already blocking brute force attacks against xmlrpc while whitelisting the Jetpack plugin (link below). Do I need to do something in my account or have the ankle biters found a way around this?
That’s generally a distributed attack. Those are more difficult to fight off. You’ll need to spend some time crafting a detailed firewall rule that doesn’t block legitimate access.
Thanks for the response. I did find this example of a Cloudflare firewall rule which blocks xmlrpc access unless the IP address is within the known ranges used by the Jetpack plugin.