This article caught my interest:
Just in the course of a few hours, over 162,000 different and legitimate WordPress sites tried to attack his site. We would likely have detected a lot more sites, but we decided we had seen enough and blocked the requests at the edge firewall, mostly to avoid filling the logs with junk.
Can you see how powerful it can be? One attacker can use thousands of popular and clean WordPress sites to perform their DDOS attack, while being hidden in the shadows, and that all happens with a simple ping back request to the XML-RPC file:
It caught my interest because for the last couple of months, I’ve been dealing with a problem on this site, tens of thousands of requests to post via XML-RPC, causing huge traffic bursts, time outs, and all sorts of other problems. So much so, in fact, that I’ve taken some pretty drastic measures to re-route requests to that file to null.
Of course, there’s an inherent problem with that. There are lots of apps and plugins that require access the the xmlrpc.php file. Denying access to it means having Jetpack not work, the WordPress iOS app not work, auto-posting from Diigo doesn’t work and so on. I’m trying to kind of work around that by routing requests to null, but then disabling that route when I need to use one of those features. It’s not ideal, but neither is not being able to post to my own site because of all the XML-RPC requests.
Here’s hoping this causes someone at WordPress to come up with a solution that allows proper use of XML-RPC without leaving it open to abuse.