My blog is running in wordpress on nginx. I found a lot of DDOS attack and nginx log is as follows.
aaa.bbb.ccc.ddd - - [19/Oct/2015:16:11:50 +0900] "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)" "-"
I added conf file as follows.
location = /xmlrpc.php {
allow (my global ip);
allow 127.0.0.1;
deny all;
access_log off;
error_log off;
}
It seems to work fine to prevent DDOS attack. But I found that I encounter an error when I use Windows Live Writer. The error dialog is like this.
http://(my blog)/xmlrpc.php
405 Not Allowed
Seems to be that "allow (my global ip)" and "deny all" are working because Windows Live Writer error message is not 403 but 405. But I cannot find any solutions.
To stop people abusing XML-RPC file, You may add the following filter into your theme's functions.php file:
add_filter( 'xmlrpc_methods', function( $methods ) {
unset( $methods['pingback.ping'] );
return $methods;
} );