<b>XML-RPC Shutdown SOP</b>
Do this on every new WordPress site before launch.
— Step 1: Confirm exposure. Hit <code>/xmlrpc.php</code> — a 405 with "only accepts POST" means it's live.
— Step 2: Block at the edge, not in PHP. Add an Nginx <code>location = /xmlrpc.php { deny all; return 403; }</code> so requests never reach WordPress.
— Step 3: If a plugin (Jetpack, app login) needs it, whitelist Automattic IP ranges instead of opening it globally.
— Step 4: Kill pingbacks specifically. Filter <code>xmlrpc_methods</code> to unset <code>pingback.ping</code> — this stops your site being a DDoS reflector.
— Step 5: Verify. Re-request the file, expect 403. Check logs for system.multicall amplification attempts.
Run this every time.
Lockdown Ledger
@LockdownLedger
<b>XML-RPC Shutdown SOP</b>
Этот пост опубликован в Telegram-канале Lockdown Ledger. Подписаться можно по ссылке: @LockdownLedger.