Why are xmlrpc.php entries still in other_vhosts_access.log?

I use ufw and fail2ban, and I’ve come across some behavior I don’t understand, and this leads me to think that something’s not configured correctly. I noticed a ton of POSTs from two IP addresses over and over again that I cannot identify. What’s weird, though, is even if I add them to ufw, they still show in other_vhosts_access.log. These addresses and attempts do not show in access.log, however.

Just to be clear, I added them using “insert” so that the deny statements are above the allow statements for ports 80 and 443. I even tried resetting the rules and starting over.


Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Hi John - If you are using NGinx, you should add the following declaration in your .conf file. As the comment states, it will eliminate your ability to use the WP app. But, XMLRPC attacks are pretty common.

Thwarts XMLRPC attacks, which will also remove your ability to control your blog with the smartphone app

location /xmlrpc.php { deny all; }

As for the firewall rules, note that firewall rules are processed in order. If your IP ban rule is last, other rules take precedence.