Detecting "POST /xmlrpc.php HTTP/1.1" 405 on a WordPress site

Hey there,

Trying to get my head around how we might be able to use Crowdsec to protect a few different sites that we host for clients. For example, we were getting 3-5 requests a second for a few hours on a couple of wordpress sites like this: - - [17/Aug/2021:16:10:08 +0000] "POST /xmlrpc.php HTTP/1.1" 405 755 "-" "curl/7.30.0"

Is there an out of the box scenario for detecting things like this?

Or would it make a good contribution to the wordpress bf scenario?

Any thoughts appreciated.


Hi !
New user here also.
Did you try to copy / paste the content of the file you linked (to a new file) and just replace the wp-login.php by xmlrpc.php ? (and of course reload crowdsec)

Not tested, but this is what I would do :slight_smile:


I would suggest creating a dedicated scenario because xmlrpc “might” have legitimate usages.
The wordpres bf scenario with more capacity in the bucket might be a good base.

Please let me know if I can help and/or if you’re facing any issues :slight_smile:

Haven’t got that far, but yes, seems like a good idea - thanks for your thoughts :slight_smile:

Thanks - I will take a look at this. FWIW here is some background on that URL Should You Disable XML-RPC on WordPress? from Wordfence (a popular wordpress WAF).