How I Trap WordPress Bots with a Fake xmlrpc.php

For years, the file xmlrpc.php has been a favorite target of bad bots probing WordPress installs. Even if you don’t use XML-RPC features, bots love hammering it with login attempts, pingbacks, or other automated noise.

Sure, you can block it at the web server level or with a plugin. But I decided to take a different approach: give the bots what they want — and waste their time doing it.

The Idea

Instead of deleting or disabling xmlrpc.php, I replaced it with a lightweight PHP honeypot:

It accepts POST requests

Logs the IP, user-agent, and host

Sleeps for a random number of seconds

Responds with a bogus HTTP status like 402 or 451

It doesn’t try to fight the bot — just quietly logs it and makes the trip a little slower.

What It Logs

Here’s a sample of what I see in the logs:

It’s a nice window into which domains are getting scraped, and how often.

Why Not Just Block Them?

You absolutely can — and I do block some IPs using iptables or fail2ban. But this honeypot gives me a low-effort way to observe and frustrate.

Delays waste botnet resources

Logs give visibility into trends

No false positives — only bad actors touch it

And since it returns a real HTTP response, it keeps low-sophistication scanners from immediately giving up and moving on.

Try It Yourself

If you want to try this out, I’ve published it as a public repo:
xmlrpc-honeypot on GitHub

Copy the xmlrpc.php file to your WordPress site’s root and make sure the log file is writable. That’s it.

It won’t stop everything — but it’s a satisfying way to give bot traffic a dead end.

Support this projectIf this helped you trap a few bots or understand your server traffic better, you can support future tools at: ko-fi.com/briandurham

More experiments like this coming soon.

How I Trap WordPress Bots with a Fake xmlrpc.php

Comments

Leave a Reply Cancel reply