DigiNews

Summary

This article documents a brute-force XML-RPC attack on a WordPress site that caused a dramatic drop in Cloudflare cache hit rate due to uncacheable POSTs to xmlrpc.php. It explains how the attacker used system.multicall to test hundreds of credentials per request and provides practical mitigations (edge WAF rule and WordPress-level blocking) as part of a defense-in-depth strategy. The piece also offers guidance for SMBs to monitor top paths, watch cache metrics over uptime, and preemptively harden xmlrpc on new WordPress deployments.