Hi @kristinubute, thanks for getting in touch.
Having many blocked requests for a certain path or file isn’t necessarily a problem in itself, it shows Wordfence is doing its job when your site is targeted. Changing the setting in Login Security certainly helps but you can disable XML-RPC altogether in .htaccess, which would likely reduce the hits that Wordfence sees:
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>
Whether or not that should be rolled out for all clients is dependent on their setup, as the WordPress app or Jetpack plugin (amongst some others) require it. It can be a popular target for login attempts and comment spam though, yes.
It’s getting harder to determine the difference between humans/bots now but Wordfence still tries based on the IPs activity on your site before a request is made. It’s unlikely to be 100% accurate.
You shouldn’t be reusing a free key on more than 1 site. The main problem of the same key making its way on to multiple sites is that some actions are rate-limited by key on our servers, so too many API calls with the same key may not succeed and leave some of your clients without important rule/signature updates.
There’s no limit to the amount of free sites a single email address can register so it can be rectified fairly easily. You can either go through the API Key process for each site, or sign up for Wordfence Central where you’d simply navigate to the “LICENSES” link to the top-right, and click the “GET A FREE LICENSE” button.
After obtaining a new key, you can manually delete the one that appears at the top of Wordfence > All Options. When you do this, the blue “UPGRADE TO PREMIUM” button changes to an “INSTALL LICENSE” button.
Thanks,
Peter.
Thank you for your reply. Yes I wasn’t sure whether my email could have multiple clients with different Wordfence keys.
Then HOW do I input the new LICENSE for each client ? Where do I do that please?
I hope I don’t cause issues adding in a new license for clients who already have Wordfence already installed?
I think I noticed that Very Simple SSL plugin has that feature where you can disable that file
xmlrpc.php>
Thanks
Hi @kristinubute,
If you have another plugin that would insert the same code for you, that should be fine too.
After you copy the new key, you can manually delete the existing one and paste the new key near the top of Wordfence > All Options in “License Key“. When you do this, the blue “UPGRADE TO PREMIUM” button changes to an “INSTALL LICENSE” button. Click the button and it should register the key on the site.
Many thanks,
Peter.
HI, Thanks for your replies.
How do I know if my website needs this file ? xmlrpc file
Should I be using the other plugin Wordfence Login Security alongside your main Wordfence for my clients? I see this plugin can disable that file xmlrpc file ?
But I don’t want to disable it IF a website needs it and will cause issues ? Hence if you can guide me please?
Thanks
Yes I’m going to start giving everyone a new separate FREE wordfence license.
