Wordpress - Many POST requests to /xmlrpc.php from GoogleBot taking down server?

I would block the IP with iptables if it were me, and if you have that kind of server level access.

You could also disable xmlrpc. Unfortunately, since 3.5 the admin screen option to disable that feature has been removed. A single line of code should disable it though: add_filter( 'xmlrpc_enabled', '__return_false' ); That might save some overhead from the requests, though it won't eliminate all of it.


"Googlebot" has no reason to access xmlrpc.php You could add this to the top of your xmlrpc.php

// Block fake Googlebot
if ( strpos($_SERVER['HTTP_USER_AGENT'], "Googlebot") === true ) { exit(); }

I'm guessing it's a core WordPress file. So it might be annoying to keep this updated. Would be nice if Automattic used Akismet to blacklist these IPs from all WP scripts, everywhere.

Update: I ended up removing permission with chmod 0 xmlrpc.php (see my comments) after a DDoS started to tax my server. In other words, this conditional PHP code might not stop an aggressive attacker from temporarily disabling your blog. In any case, they usually give up pretty fast.

Tags:

Server Load