WordPress brute force attack

Have had a really strange problem, mysql dies after a few seconds without logging anything, it just stops. After some investigations, upgrading the database and tuning I found that it was not a problem with the database, the database seemed to get an unusual high amount of traffic. After looking in my apache logs I found a lot of these rows:

191.96.249.53 - - [28/Sep/2016:09:36:16 +0200] "POST /xmlrpc.php HTTP/1.0" 200 596 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"

It turns out that my site was being subjected to a brute force attack that targeted the WordPress xmlrpc.php file.

I fixed it by blocking the ip’s in the firewall

iptables -A INPUT -s 191.96.249.53 -j DROP

And checking the stats for the input chain showed that there was a lot of traffic coming in, and is now dropped.

iptables -L INPUT -v -n
Chain INPUT (policy ACCEPT 1133 packets, 431K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      *       46.166.139.20        0.0.0.0/0
 4708  282K DROP       all  --  *      *       191.96.249.54        0.0.0.0/0
 1739  102K DROP       all  --  *      *       191.96.249.75        0.0.0.0/0
  785 47272 DROP       all  --  *      *       191.96.249.53        0.0.0.0/0

It seems to have fixed the problem for now.