WordPress Security

WordPress XML-RPC Brute Force Attacks: The Hidden Login Vulnerability

XML-RPC is a hidden gateway for brute force attacks, allowing thousands of password attempts per request. Learn why you should disable it.

D
David Kim
8 min read
83 views
XML-RPC brute force attack vulnerability in WordPress

The XML-RPC Security Problem

When you secure your WordPress login page, you might think you're protected from brute force attacks. But there's a hidden backdoor that many site owners don't know about: XML-RPC. This legacy feature allows attackers to try hundreds of passwords in a single request, bypassing your login attempt limits entirely.

What is XML-RPC?

XML-RPC (xmlrpc.php) is a remote procedure call protocol built into WordPress. It was created before the REST API existed and allowed external applications to interact with WordPress:

  • Mobile apps (before REST API)
  • Desktop publishing tools
  • Pingbacks and trackbacks
  • Remote posting services

How XML-RPC Brute Force Works

The system.multicall Method

Here's the dangerous part: XML-RPC supports a method called system.multicall that executes multiple commands in a single request. Attackers use this to:

  1. Bundle 500+ password attempts into one request
  2. Send one HTTP request to xmlrpc.php
  3. Get results for all 500 attempts
  4. Repeat with new password lists

Why It Bypasses Protection

Your login attempt limits count HTTP requests, not password attempts. One XML-RPC request with 500 multicall attempts counts as ONE request—but tries 500 passwords.

Attack Amplification

  • Normal brute force: 1 request = 1 password attempt
  • XML-RPC brute force: 1 request = 500+ password attempts
  • Result: 500x faster attacks

Other XML-RPC Security Risks

DDoS Amplification

Pingback feature can be abused for DDoS attacks:

  • Attacker sends pingback requests to many WordPress sites
  • All sites send requests to victim
  • Your site becomes part of a DDoS botnet

SSRF Vulnerabilities

Some XML-RPC methods can be exploited for Server-Side Request Forgery, accessing internal network resources.

Who Actually Needs XML-RPC?

You Probably Don't Need It If...

  • You use the WordPress mobile app (now uses REST API)
  • You edit in the browser
  • You don't use Jetpack
  • You don't use pingbacks
  • You built your site after 2016

You Might Need It If...

  • You use Jetpack (some features still require it)
  • You use very old mobile apps
  • You use legacy publishing tools

Disabling XML-RPC with WP Folder Shield

Complete Disable (Recommended)

  1. Go to Folder Shield > Settings > API & Hardening
  2. Enable "Disable XML-RPC"
  3. Save changes

What Happens

  • xmlrpc.php returns an error for all requests
  • X-Pingback header removed from responses
  • Brute force via XML-RPC blocked completely
  • DDoS amplification prevented

Testing XML-RPC Status

Check If XML-RPC is Active

Visit: https://yoursite.com/xmlrpc.php

  • XML-RPC enabled: Shows "XML-RPC server accepts POST requests only"
  • XML-RPC disabled: Shows error or 403/404

Online Testing Tools

Use online XML-RPC testing tools to verify your site's status.

What About Jetpack?

Modern Jetpack

Current Jetpack versions primarily use REST API and work without XML-RPC for most features.

If You Need XML-RPC for Jetpack

Some Jetpack features may require XML-RPC. If so:

  • Keep XML-RPC enabled
  • Use Jetpack's built-in brute force protection
  • Enable WP Folder Shield's other protections

Alternative: Block XML-RPC at Server Level

.htaccess (Apache/LiteSpeed)

<Files xmlrpc.php>
    Order Allow,Deny
    Deny from all
</Files>

nginx

location = /xmlrpc.php {
    deny all;
}

WP Folder Shield handles this automatically when you enable "Disable XML-RPC."

Monitoring XML-RPC Attacks

Check Security Logs

Even with XML-RPC disabled, review logs for:

  • Requests to xmlrpc.php (should be blocked)
  • Attack patterns and IPs
  • Any successful XML-RPC activity (shouldn't exist)

Conclusion

XML-RPC is a legacy feature that most WordPress sites no longer need—but it remains enabled by default and provides a dangerous backdoor for brute force attacks. The system.multicall method allows attackers to try hundreds of passwords per request, bypassing your login limits. Unless you have a specific need for XML-RPC (like certain Jetpack features), disable it completely with WP Folder Shield. It's a simple change that eliminates a significant attack vector.

Share:
D
Written by David Kim

WP Folder Shield Team

Related Articles

SEO Spam Injection: How to Detect Hidden Links and Malicious Redirects
SEO Spam Injection: How to Detect Hidden Links and Malicious Redirects

Learn how hackers inject hidden links and malicious redirects into WordPress sites to steal your...

January 18, 2026
Understanding WordPress Malware Signatures and Detection Patterns
Understanding WordPress Malware Signatures and Detection Patterns

Learn how malware scanners detect threats using signatures and patterns. Understand the technology...

January 15, 2026
Country Blocking for WooCommerce: Protect Your Online Store
Country Blocking for WooCommerce: Protect Your Online Store

Learn how to implement country blocking for WooCommerce stores. Prevent fraud, reduce chargebacks...

January 10, 2026

Ready to Secure Your WordPress Site?

Get complete protection with WP Folder Shield.

Get Started