Thanks to the Simple History plugin, the first thing I noticed on my new WordPress install was hundreds of brute-force login attempts:
Anonymous user from x.x.x.x 4:25 pm (less than a minute ago) Failed to login with username "dougie" (incorrect password entered) warning Showing 212 more
And then more alarmingly, immediately the same thing on a new test user I set up a few minutes later. Of course, just because frustratingly I can’t work out how the attacker extracts the new WP username immediately doesn’t mean it ain’t happening. But the attack vector, so to speak, was the xmlrpc.php file.
Several ways to tackle this, and initially I used a security plugin to fix it. But given the choice, I’d rather do things like this manually so I have a better idea what’s going on, and maybe learn something too.
I pasted the code suggested from https://www.hostinger.com/tutorials/xmlrpc-wordpress into my .htaccess file:
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx
</Files>changing the allow from to the static IP for my regular connection, although strictly speaking I don’t think I need that and will try taking it out altogether sometime.