Block all XMLRPC requests and allow only Jetpack (Wordpress.com) + also working with your website behind Cloudflare.
# XML-RPC deaktivieren - Sicherheit > Einstellungen > WordPress-Optimierungen > XML-RPC
<files xmlrpc.php>
Order deny,allow
Deny from all
# Whitelist Jetpack / Automattic CIDR IP Address Blocks
# http://whois.arin.net/rest/org/AUTOM-93/nets
Allow from 2620:115:C000::/40
Allow from 76.74.255.0/25
Allow from 76.74.248.128/25
Allow from 198.181.116.0/24
Allow from 192.0.64.0/18
Allow from 64.34.206.0/24
Allow from 66.155.105.128/26
Allow from 2001:1978:1E00:3::/64
Allow from 69.90.253.0/24
#Allow from MY_OWN_IP_ADDRESS
</files>
/*
Plugin Name: Disable XML-RPC Pingback
Description: Stops abuse of your site's Pingback method from XML-RPC by simply removing it. While you can use the rest of XML-RPC methods.
Author: Samuel Aguilera
*/
add_filter( 'xmlrpc_methods', 'sar_block_xmlrpc_attacks' );
function sar_block_xmlrpc_attacks( $methods ) {
unset( $methods['pingback.ping'] );
unset( $methods['pingback.extensions.getPingbacks'] );
return $methods;
}
add_filter( 'wp_headers', 'sar_remove_x_pingback_header' );
function sar_remove_x_pingback_header( $headers ) {
unset( $headers['X-Pingback'] );
return $headers;
}
# https://developer.wordpress.org/reference/hooks/xmlrpc_enabled/
add_filter( 'xmlrpc_enabled', '__return_false' );