DoublePanic

I’m not disclosing at all that this WP you are poking to is outdated. This is for you who cannot update yours due to surely very reasonable reasons, are receiving a lot of spam attacks these days, and cannot raise a WAF for surely equally reasonable reasons^*.

A shallow review of the attacking calls shows that targets are wp-login.php for bruteforce and spraying attacks and xmlrpc.php for whatever vulnerabilities WP expose now.
So, why not to protect these files with cheap dirty left-me-along-I-have-a-life basic authentication?

Put this into your site’s .htaccess (inside ), your /etc/sites-enabled Apache config file or whatever controls your site.


<Files xmlrpc.php>
  AuthType basic
  AuthName "no spam"
  AuthUserFile /etc/apache2/mysite_passwords
  Require valid-user
</Files>
<Files wp-login.php>
  AuthType basic
  AuthName "no spam"
  AuthUserFile /etc/apache2/mysite_passwords
  Require valid-user
</Files>


You not using Apache? Oh snap!

Now add some users to that mysite_passwords (choose your own) and assign passwords:

htpasswd -c /etc/apache2/mysite_passwords happy_user_name

Reload your Apache server config. Honor the permissions, they are for your security.

/etc/init.d/apache2 restart

And now, first time you’ll try to login it will ask you for the server password before WP login and that last browser session. If you are admin or use xmlrpc for anything, I recommend go to http://yoursite/xmlrpc.php to authenticate before using it. Also, modify any application including the basic unsecure authentication in URL, say http://user:pass@yoursite/xmlrpc.php.

Caveats:

Benefits:

^* Indolence is a perfectly valid one.