XML-RPC is a legacy feature in WordPress introduced in early versions to allow remote publishing and mobile apps to interact with your site. It uses a single endpoint (xmlrpc.php) that can handle multiple methods (pingbacks, trackbacks, remote login, etc.).
While useful in the past, XML-RPC is now one of the favorite attack vectors for malicious actors: brute force login, pingback amplification attacks, DDoS, etc. Unless your site explicitly requires it, it’s safer to block or mitigate XML-RPC access altogether. If your WordPress site is under attack via XML-RPC and you notice unusual login attempts or high server load, acting quickly is crucial. When you need urgent help to secure your site and restore normal operation, emergency WordPress support can provide fast, professional assistance.
In this guide, we’ll explain:
-
What XML-RPC is and why it’s risky
-
How to detect XML-RPC attacks
-
Multiple methods (plugins, server rules, code) to block or restrict XML-RPC
-
Best practices & trade-offs
-
FAQs at the end
Let’s secure your WordPress site.
What Is XML-RPC in WordPress — and Why It’s Risky?
What Is XML-RPC?
-
It’s a remote communication protocol that uses XML messages over HTTP to perform methods like
wp.getPosts,wp.newPost,wp.getUsersBlogs, etc. -
The endpoint file is
your-site.com/xmlrpc.php. -
It’s also used for Jetpack, mobile apps, some remote plugins, pingbacks, trackbacks, and other remote services.
Why Attackers Love It
-
Brute Force / Login Attempts
Attackers can use thewp.getUsersBlogsmethod to test usernames, then send login attempts viawp.loginetc. This can allow unlimited login trials, circumventing standard security checks. One of the biggest dangers of XML‑RPC is its role in large‑scale brute force attacks. Attackers don’t just target the default WordPress login page — they often use XML‑RPC to send hundreds of login attempts in a single request. This makes traditional login protection ineffective unless you also secure WordPress against brute force login attempts. -
Pingback Amplification / DDoS
Older XML-RPC pingback methods can be abused to reflect traffic onto other sites, acting as attacks. -
Method chaining & hiding
A single XML-RPC request can contain multiple method calls, making it harder to detect via standard rules.
Because of these, many security experts consider XML-RPC a liability. The guiding principle: disable or limit it unless you absolutely need it.
How to Detect That Your Site Is Under XML-RPC Attack
Before blocking, it helps to confirm it’s happening:
-
Check your server access logs: lots of POST requests to
xmlrpc.php -
Watch for high CPU/Memory usage spikes
-
Browser error: “405 method not allowed” or blank pages when accessing
xmlrpc.php -
Security plugin alerts (Wordfence, Sucuri, etc.)
-
Comment spam or pingbacks that don’t make sense
If you confirm malicious traffic, apply one or more of the strategies below.
Methods to Block or Mitigate XML-RPC Attacks in WordPress
You can use plugins, server rules, or code snippets. A layered approach is best.
Method 1: Disable XML-RPC via a Plugin
Certain plugins are built for this purpose:
-
Disable XML-RPC — a lightweight plugin that simply returns HTTP 403 on xmlrpc.php
-
Jetpack by WordPress.com — has a setting to disable XML-RPC
-
Wordfence / All In One WP Security — include options to block XML-RPC brute force
Pros: easy, minimal configuration
Cons: plugin overhead, sometimes incompatible with Jetpack or remote publishing
Method 2: Block xmlrpc.php via .htaccess / Nginx Rules
Apache / .htaccess
You can deny access to xmlrpc.php at the server level:
If you still want to allow certain IPs (e.g. for remote publishing):
Nginx
In the server block:
If allowing specific IPs:
Note: Make sure to place these rules before your general WordPress rewrite rules.
Method 3: Block via WordPress Code (in functions.php or a small plugin)
You can hook early in WordPress and stop xmlrpc requests:
Alternatively, intercept requests:
You can also remove specific methods:
Or add a whitelist:
Method 4: Rate Limit / WAF / Firewall Rules
If you use a Web Application Firewall (WAF) or security service (Cloudflare, Sucuri, etc.):
-
Create a firewall rule to block POST requests to
xmlrpc.php. -
Rate limit repeated POSTs to that path.
-
Use ModSecurity or server security modules to detect XML-RPC method abuse.
Cloudflare example (Firewall Rule):
→ Block. For sites that need extra protection, especially if XML-RPC must remain enabled for certain apps, implementing two-factor authentication (2FA) for WordPress logins adds a strong layer of security. Even if attackers obtain valid credentials via XML-RPC or other methods, 2FA ensures they cannot access your admin dashboard without the second factor.
Which Method Should You Choose?
| Use Case | Recommended Method |
|---|---|
| You don’t use xmlrpc, Jetpack, remote posting | .htaccess / Nginx deny + xmlrpc_enabled = false |
| You use xmlrpc for remote apps or Jetpack | Whitelist IP, plugin, or firewall rule approach |
| High security site (e-commerce, membership) | Use WAF + multiple restrictions + logging |
Putting It All Together — Example Full Setup
Here’s an example functions.php snippet you can turn into a mini plugin:
Then in .htaccess:
If you run Nginx, add:
These combined will effectively block nearly every avenue of XML-RPC abuse.
Monitoring & Logging XML-RPC Attacks
Even after blocking, it’s wise to log attempts so you can see if someone is trying:
You can also hook xmlrpc_error or use custom logging.
Then check your wp-content/debug.log or server logs to see how many attempts are being blocked.
Pros & Trade-offs
-
✅ Disabling XML-RPC mitigates a major attack vector
-
✅ Lower server load under brute force attacks
-
❌ You lose legitimate remote publishing or Jetpack features
-
❌ You’ll need custom whitelist rules if you later want remote access
Hence, always test fully after disabling — if something breaks (mobile apps, plugin updates, etc.), be ready to fine-tune. Even after blocking XML-RPC and implementing 2FA, it’s wise to review your overall WordPress security posture. Using the best WordPress security plugins can help monitor attacks, enforce firewall rules, and prevent other vulnerabilities from being exploited. These plugins provide an extra layer of protection and make it easier to manage security for your site.
FAQs (Frequently Asked Questions)
Q1: Will disabling XML-RPC break Jetpack or mobile apps?
A: Yes — Jetpack, WordPress mobile app, and some remote posting plugins rely on XML-RPC. If you disable it totally, those features will break.
Q2: What is xmlrpc_enabled filter?
A: It’s a WordPress filter that returns true or false to enable or disable XML-RPC support. Returning false disables it at the core level.
Q3: Can I partially disable only certain XML-RPC methods?
A: Yes. Using the xmlrpc_methods filter, you can unset specific methods (pingback, trackbacks, etc.) while allowing others.
Q4: How do I allow XML-RPC access only from specific IPs?
A: Use server rules (Require ip in .htaccess or allow ip in Nginx) or conditionally return true in xmlrpc_enabled based on $_SERVER['REMOTE_ADDR'].
Q5: After blocking xmlrpc.php, I still see heavy traffic — why?
A: Attackers can also target wp-json/wp/v2/users, AJAX endpoints, admin login (wp-login.php). XML-RPC is just one vector. Use a WAF and rate limiting as additional defense.
Q6: Should I monitor blocked requests?
A: Absolutely. Logging attempts helps you see attacker patterns, IP addresses, and refine rules over time.
Conclusion
XML-RPC is legacy tech, but remains a major security risk for WordPress sites. Blocking or restricting it is one of the most effective ways to reduce brute force attacks, DDoS vectors, and server load. Use a combination of server rules, filters, plugins, and monitoring to secure your site.
