XML-RPC DDoS Amplification Attack (Pingback Log Detection)
See real Layer 7 DDoS pingback logs. Detect WordPress amplification attacks instantly and learn how to configure your edge network to absorb the flood.
Log Signature Detected: If you're seeing "192.168.1.10 - - [02/Apr/2026:15:10:22 +0000] "POST /xmlrpc...." in your logs, your server may be under a DDoS attack.
Think you're under attack?
Paste a snippet of your server logs below for instant AI verification.
Accepts raw text. Max 500 lines per scan.
Real Log Example
192.168.1.10 - - [02/Apr/2026:15:10:22 +0000] "POST /xmlrpc.php HTTP/1.1" 200 398 "-" "WordPress/6.4.3; http://compromised-site.com"
192.168.1.11 - - [02/Apr/2026:15:10:22 +0000] "POST /xmlrpc.php HTTP/1.1" 200 398 "-" "WordPress/6.4.3; http://another-hacked-site.com"
192.168.1.12 - - [02/Apr/2026:15:10:23 +0000] "POST /xmlrpc.php HTTP/1.1" 200 398 "-" "WordPress/6.4.3; http://third-victim-site.com"Does your log look like this? Paste it into Helix Vanguard for instant AI analysis.
Analyze Your Logs FreeNo signup required. End-to-end encrypted.
What Is a DDoS?
Security analysts and DevOps teams monitoring infrastructure like Nginx, Apache HTTP Server, Node.js, AWS, and WordPress must be able to quickly identify and triage these malicious log patterns to prevent data breaches.
Beyond brute force attacks, xmlrpc.php is frequently weaponized to execute Layer 7 Distributed Denial of Service (DDoS) attacks through a technique called Pingback Amplification.
An attacker sends a forged XML-RPC request to thousands of legitimate WordPress sites, instructing them to 'ping' a target server. The target server is then flooded with requests from thousands of unique IPs.
In your logs, this manifests as a massive spike in POST requests to /xmlrpc.php, generating widespread 429 too many requests attack logs errors.
How to Detect XML-RPC DDoS Amplification Attack (Pingback Log Detection) in Logs
The User Agent: This is the smoking gun. Almost all requests will have a User-Agent string starting with 'WordPress/x.x.x', indicating the requests are coming from other WordPress servers, not browsers.
Distributed IPs: Unlike a brute force attack coming from a single IP, a DDoS amplification attack will feature thousands of completely different IP addresses from all over the globe.
Resource Exhaustion: You will likely notice this attack because your server's CPU will spike to 100%, and the MySQL database will crash before you even look at the logs.
DDoS Attack Detection Checklist
| Pattern | Indicator | Severity |
|---|---|---|
| WordPress/x.x.x in User-Agent | Pingback amplification reflector | Critical |
| Thousands of unique IPs to xmlrpc.php | Distributed amplification attack | Critical |
| CPU spike + MySQL crash during POST flood | Layer 7 resource exhaustion | Critical |
How to Defend Against This Threat
Disable the Pingback feature entirely within your WordPress discussion settings.
Configure your edge network (like Cloudflare) to challenge requests hitting /xmlrpc.php with unexpected user agents.
Rate limit connections to the xmlrpc.php endpoint to ensure it cannot overwhelm the application layer.
Related Log Threats
Failed Password for Invalid User (SSH Log Example + Fix Guide)
See real SSH brute force payloads in your auth.log. Learn how to detect 'failed password' attacks instantly and block malicious IPs before breach.
Read guideSQL Injection in Nginx Logs (Detection Examples + Fix Guide)
See real SQL injection payloads (UNION SELECT, OR 1=1) in Nginx logs. Detect database attacks instantly and block malicious queries before data is exposed.
Read guideDirectory Traversal Attack Logs (/etc/passwd Examples + Fix)
See exactly how attackers use ../../../etc/passwd payloads in your web logs. Learn to detect directory climbing attacks instantly and secure your file paths.
Read guide