April 16, 2026

Cache me outside

Article URL →HN comments →

288,493 Requests – How I Spotted an XML-RPC Brute Force from a Weird Cache Ratio

0.8% Traffic Meltdown: One Bot, and a Comment War Over AI Writing

TLDR: A site’s traffic report exposed a massive login attack hitting an old WordPress feature, fixed by blocking one problem door. The comments? A pile-on about AI-sounding writing and whether Cloudflare should’ve stopped it automatically—useful advice overshadowed by a style war and platform skepticism.

A WordPress admin spotted a weird number in their Cloudflare dashboard: 0.8% cache hit rate. Translation: nearly everything hitting the site was bypassing the protective “fast lane.” The culprit? A single server in Singapore blasting 288,493 requests in a day at an old WordPress door called XML-RPC (a legacy feature that lets apps talk to your site), using a trick to cram hundreds of password tries into each request. The fix was simple and double-layered: block that door at the edge with a WAF (web application firewall) and switch off XML-RPC inside WordPress. Practical, useful… and then the comments lit up.

The crowd split fast. One camp said the piece reads like it was written by an AI—too long, too chirpy, not “human” enough. Another camp asked the bigger question: if Cloudflare didn’t catch this automatically, what’s the point? And a quieter third camp admitted the advice is useful for site owners—even if the style gave them a headache. People joked that “0.8% is my phone battery at 3 a.m.” and called XML-RPC the “front door nobody locks.”

Between the snark and the eye-rolls, the core takeaway still landed: if you run WordPress, check your top traffic paths. If you see /xmlrpc.php near the top, you’re likely under a stealth login flood. Useful? Yes. Overwritten? Many say yes. The internet remains undefeated.

Key Points

  • A WordPress site’s Cloudflare cache hit ratio fell to 0.8% due to 288,493 POSTs to /xmlrpc.php in 24 hours from a single Singapore DigitalOcean IP.
  • The attack used XML-RPC’s system.multicall to attempt hundreds of credentials per HTTP request, evading naive rate limits.
  • Cloudflare absorbed traffic so the site stayed up, but the origin server’s CPU was consumed handling each dynamic request.
  • Mitigation combined a Cloudflare WAF rule to block /xmlrpc.php and disabling XML-RPC inside WordPress via WP Multitool (defaults on in v1.1.19).
  • Detection guidance includes checking Cloudflare Top Paths and using the GraphQL Analytics API to find high-volume dynamic requests to /xmlrpc.php.

Hottest takes

I can't read LLM posts — dwedge
What’s the point of Cloudflare... — VladVladikoff
these sentences give me nausea — csomar

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.