288,493 Requests – How I Spotted an XML-RPC Brute Force from a Weird Cache Ratio

The author shares a practical case study on how they detected a persistent brute force attack on a WordPress site by noticing an alarmingly low Cloudflare cache hit ratio. Unlike traditional metrics like CPU or uptime, which might not flag such attacks, the cache rate proved to be a critical canary for uncacheable, dynamic requests.

• A WordPress site's Cloudflare cache hit ratio plummeted to 0.8%, signaling a major issue beyond typical plugin misconfigurations.
• Investigation revealed a single IP address from Singapore had made 288,493 POST requests to /xmlrpc.php within 24 hours.
• The attack leveraged system.multicall to attempt hundreds of credential pairs in a single HTTP request, bypassing common rate limiting on wp-login.php.
• The author emphasizes that xmlrpc.php attacks are often 'invisible' to conventional monitoring, as the site remains accessible and CPU spikes might be subtle.
• Detection is possible via Cloudflare's GraphQL analytics API or dashboard by checking 'Top Paths' for xmlrpc.php with a 'dynamic' cache status.
• Mitigation involves two layers: blocking /xmlrpc.php at the Cloudflare WAF edge and disabling XML-RPC functionality within WordPress itself using code or a plugin like WP Multitool.
• The post concludes by recommending proactive measures like regularly monitoring cache rates and top paths, and preemptively blocking xmlrpc.php on new WordPress installations, as its legitimate use cases are minimal in 2026 due to the REST API.