A few months ago, my personal blog and I had settled into a comfortable relationship: it existed, and I occasionally remembered that it existed.
It wasn’t abandoned exactly. Just… quietly aging on the internet.
Then one morning I started getting emails.
Subject line: “Limit Login Attempts – Lockout Notification.”
Apparently, someone (or something) was trying very hard to log into my WordPress site and failing repeatedly. Over and over. From different IP addresses. At slightly alarming hours.
My first thought was:
“Why would anyone want to hack my tiny, barely-updated personal blog?”
My second thought was:
“Oh no. Have I been hacked already?”
The Investigation Begins
The emails were coming from my login protection plugin, which meant at least one thing was working: failed attempts were being blocked.
Still, the volume felt unsettling.
After some digging, I discovered most of the attempts weren’t even coming through the normal login page. They were hitting something called xmlrpc.php.
If you’ve never heard of it, you’re not alone. I hadn’t either.
Turns out XML-RPC is a WordPress feature that allows remote publishing and app-based logins. It’s also a favorite entry point for brute-force bots because it can bundle multiple login attempts into a single request.
In other words: efficient chaos.
The Realization
After a mild internal panic, I learned something surprisingly comforting:
This wasn’t personal.
Bots constantly scan the internet for WordPress sites. Big sites. Small sites. Abandoned hobby blogs. Everything. They try common usernames like “admin” and cycle through password guesses. It’s automated, indiscriminate, and extremely boring.
The internet is just… noisy.
That made me feel better.
Then I checked my WordPress version.
It hadn’t been updated in 6–8 months.
That made me feel worse.
The Fix
I did three things:
- Updated WordPress to 6.9.1.
- Blocked
xmlrpc.phpat the server level. - Kept my login attempt limiter active.
That was basically it.
Within minutes, the XML-RPC noise stopped. The login lockout emails slowed down. My blood pressure returned to pre-hack levels.
What I Learned
- Every WordPress site gets probed. It’s normal.
- Login attempt emails mean protection is working.
- Being a few months behind on updates isn’t catastrophic — but it’s not ideal.
- Blocking XML-RPC is incredibly satisfying.
- “Inactive blog” is not the same thing as “invisible to bots.”
Most importantly, I realized the biggest risk wasn’t brute-force login attempts. It was neglect.
Outdated plugins. Old PHP versions. Forgotten themes. That’s where real compromises tend to happen.
The Internet Is Just Bumping Your Doorknob
That’s what this felt like in the end.
Not a burglar breaking in — just bots walking down the street trying door handles. My site happened to have a lock on it. They rattled it, it didn’t open, and they moved on.
Meanwhile, I finally gave my blog the updates it deserved.
So in a strange way, I’m grateful for the mildly annoying warning emails. They nudged me into tightening things up.
And now my quietly aging personal blog is slightly less quietly aging — and a lot more secure.