How to Stop a WordPress XMLRPC.php Attack and Still Use Jetpack

Lately the bastards of the Internet have laid some different attacks down on one of my sites. The newest (as far as I know) WordPress specific attack is that they try to make use your site via xmlrpc.php to then launch DDOS attacks on other sites.

The easy solution is to just block all access to the file with htaccess. If you do a simple “Deny All” however then you’ll lose access to certain services.

In my case I like a few of the functions of Jetpack which leverages xmlrpc. To avoid killing Jetpack while you thwart the bastards you need to allow access from the IPs used by Automattic.

Here’s the htaccess fix I used to thwart the attacks. Everything has been holding for a few days so I think I’m in the clear.

I’m not a server or security expert so just know you’re using this fix at your own risk.

Copy and paste this in your .htaccess file which you’ll find at your site’s root.


<FilesMatch "xmlrpc.php">
order deny,allow
deny from all
allow from 216.151.209.64
allow from 216.151.209.127
allow from 66.135.48.128
allow from 66.135.48.255
allow from 69.174.248.128
allow from 69.174.248.255
allow from 76.74.255.0
allow from 76.74.255.127
allow from 216.151.210.0
allow from 216.151.210.127
allow from 76.74.248.128
allow from 76.74.248.255
allow from 76.74.254.0
allow from 76.74.254.127
allow from 207.198.112.0
allow from 207.198.113.255
allow from 207.198.101.0
allow from 207.198.101.127
allow from 198.181.116.0
allow from 198.181.119.255
allow from 192.0.64.0
allow from 192.0.127.255
allow from 66.155.8.0
allow from 66.155.11.255
allow from 66.155.38.0
allow from 66.155.38.255
allow from 72.233.119.192
allow from 72.233.119.255
allow from 209.15.21.0
allow from 209.15.21.255
</FilesMatch >