8000 Requests for wp-login.php and xmlrpc.php

Hello Guys,
Since last few days I am getting average 4000 requests for wp-login.php and 4000+ request for xmlrpc.php.
Is this normal? This is more than my page view!!!

I have strong server setup so nothing is impacting but just want to know is this normal?


The best advice I think for you is:

  • Change default WordPress login page (/wp-admin) page to something else.

  • Use something like wordfence plugin or sucuri security plugin to block bots and such spam traffic.

  • You should also look for the source of these hits and if they are from one particular country, which is not in your target traffic country ( like most cases its China, Russia etc. ) than simply block your site in that country using cloudflare firewall.

Hope that helps :slight_smile:

I have converted my site static and hide my WordPress on other URL. This will give me peace of mind.

IPs are coming from across the globe. It is pattern like first is wp-admin and then xmlrpc. It seems more like bots than human.

I use perfmatter to disable wp-login path by changing it and disable unneeded modules like xmlrpc.
It wkrks like a charm

1 Like

Yes, this is completely normal. You can block xmlrpc.php safely if you do not use JetPack or WordPress.com app