If there is “Error connecting to database” error, and the access.log file is huge (several GB), and there are many “POST /xmlrpc.php” or “POST /wp-login.php” in it, it’s brute force attack.
How to stop it?
I. Use password to protect wp-login.php
1. Generate file ./htpasswd, e.g. use http://www.htaccesstools.com/htpasswd-generator/, put it in folder (e.g. /var/www)
Note: could use the following command to generate random password first
openssl rand -base64 6
2. Add the following code in .htaccess under where the wp-login.php is (usually the root folder of WordPress installation)
# Stop Apache from serving .ht* files <Files ~ "^\.ht"> Order allow,deny Deny from all </Files> # Protect wp-login <Files wp-login.php> AuthUserFile [ABSOLUTE PATH]/.htpasswd AuthName "Private access" AuthType Basic require user USERNAME-SET-IN-HTPASSWD </Files>
Reference: Brute Force Attacks on WordPress.org
II. Stop access to xmlrpc.php
If xmlrpc is not used, just block access to it. In .htaccess file, add
<Files xmlrpc.php> order deny,allow deny from all </Files>