Hey there,
Trying to get my head around how we might be able to use Crowdsec to protect a few different sites that we host for clients. For example, we were getting 3-5 requests a second for a few hours on a couple of wordpress sites like this:
xxx.xxx.xxx.xxx - - [17/Aug/2021:16:10:08 +0000] "POST /xmlrpc.php HTTP/1.1" 405 755 "-" "curl/7.30.0"
Is there an out of the box scenario for detecting things like this?
Or would it make a good contribution to the wordpress bf scenario?
Any thoughts appreciated.
Thanks!
Hi !
New user here also.
Did you try to copy / paste the content of the file you linked (to a new file) and just replace the wp-login.php by xmlrpc.php ? (and of course reload crowdsec)
Not tested, but this is what I would do 
Hello,
I would suggest creating a dedicated scenario because xmlrpc “might” have legitimate usages.
The wordpres bf scenario with more capacity in the bucket might be a good base.
Please let me know if I can help and/or if you’re facing any issues 
Haven’t got that far, but yes, seems like a good idea - thanks for your thoughts
Thanks - I will take a look at this. FWIW here is some background on that URL Should You Disable XML-RPC on WordPress? from Wordfence (a popular wordpress WAF).