If you run a server with multiple sites on it, then you may have issues with WordPress installations. WordPress has a remote admin feature (which allows 3rd party connections to post new articles etc..).
While a greate feature in theory, in practice it is an avenue for attack by bot networks. You will see hundreds/thousands of connections a minute across a multi-domain hosting server (one of our servers has 40 sites on it – nearly all wordpress).
These requests take up resources, even if they do not compromise a site (though, with multiple sites – managed by people of differing technical skills, you may well get some compromised due to age and lack of updating) – to the point where a server cannot perform as well as expected, causing delays or requirements to upgrade hardware before you really should.
If you are running mod-security (if you aren’t perhaps consider it to protect your/your client sites) then you can add the following rule:
#Block requests to xmlrpc.php with no referring URL
SecRule REQUEST_METHOD "POST" "deny,status:401,id:5000900,chain,msg:'xmlrpc.php request blocked, no referer'"
SecRule &HTTP_REFERER "@eq 0" "chain"
(adapted from a post on cpanel forums by ‘dalem’ (https://forums.cpanel.net/threads/xmlrpc-spam.646765/) )
SecRule REQUEST_URI "xmlrpc.php"
Once you add this, any requests to xmlrpc, which do not originate from a link/trigger from a website (i.e. no referrer) will be blocked with a 401 (forbidden) message.
If you have a firewall or banning software (such as csf firewall or fail2ban) you can also get these to scan the log-file and ban repeated offenders on this rule.
When might this not be a good idea?
Basically, if you or any customers, use 3rd parties that utilise the xml-rpc functionality, you may not be able to deploy this rule. If you have a fixed IP you could always add in another part of the rule (another SecRule line) which excludes that IP address – but this may be hard to maintain.