One of my WP 3.5 (now WP 3.5.1) sites recently got blocked by host’s automatic ‘anti exploit’ script. I’m still working on what happened exactly, but looking through the logs, I have noticed a LOT of entries like this:
111.222.333.444 http://www.mysite.com – [30/Apr/2013:00:00:19 +0200] “POST /xmlrpc.php HTTP/1.1” 200 463 “-” “-“
(ip and sitename changed)
Something like 700,000 of them this this month. The bulk of them are from the same IP but, looking back over the logs, there have been other IP’s doing similar things (but not to the same volumes as far as I can see).
The current culprit seems to be some hosted address located somewhere in the USA.
Mine is a European site, hosted in France.
I’m wondering if it’s a bute force attack trying to post minimal data to /xmlrpc.php until it gets success, indicating a successful password guess?
Any ideas as to what this is, and what I should do about it?
- The topic ‘Weird host log entries. Possible attack?’ is closed to new replies.