288,493 Requests – How I Spotted an XML-RPC Brute Force from a Weird Cache Ratio
a day ago
- #Cloudflare WAF
- #WordPress Security
- #Brute Force Attack
- A WordPress site's Cloudflare cache hit ratio dropped to 0.8%, signaling an attack due to uncacheable traffic flooding.
- The root cause was a single Singapore IP from DigitalOcean making 288,493 POST requests in 24 hours to /xmlrpc.php using system.multicall for credential brute-forcing.
- The fix involved implementing a Cloudflare WAF rule to block /xmlrpc.php at the edge and disabling xmlrpc in WordPress via WP Multitool's Frontend Optimizer for defense in depth.
- Users should monitor Cloudflare's Top Paths weekly; if xmlrpc.php appears in the top 3, it indicates an ongoing attack.
- xmlrpc.php is largely obsolete in 2026, with REST API as a better alternative, though Jetpack mobile may still require it; consider blocking it preemptively if not needed.