Tutorials

XML-RPC Attacks on WordPress: Prevention Guide

XML-RPC is a common attack vector for WordPress sites. Learn how attackers exploit this feature and how to protect your website from XML-RPC based attacks.

S
Sarah Chen
6 min read
943 views
XML-RPC attack visualization showing blocked malicious requests to WordPress

What Is XML-RPC?

XML-RPC (xmlrpc.php) is a WordPress feature that enables remote communication with your site. It allows external applications, mobile apps, and services to interact with WordPress using HTTP requests containing XML-formatted data.

While useful for legitimate purposes like publishing posts from mobile apps or connecting with services like Jetpack, XML-RPC has become a significant security concern due to its exploitation by attackers.

How Attackers Exploit XML-RPC

Brute Force Amplification

The system.multicall method allows attackers to test hundreds of password combinations in a single request. This bypasses login rate limiting since each HTTP request can contain multiple login attempts.

DDoS Amplification

Attackers use the pingback.ping method to turn WordPress sites into DDoS weapons. They send pingback requests that cause your server to make HTTP requests to target websites.

Username Enumeration

XML-RPC can reveal valid usernames through error messages, helping attackers target specific accounts for brute force attacks.

Information Disclosure

Various XML-RPC methods can expose information about your WordPress installation, posts, and configuration.

Signs of XML-RPC Attacks

Server Load Issues

  • Sudden CPU spikes
  • Slow site performance
  • Memory exhaustion
  • Connection timeouts

Log Indicators

Check your access logs for:

POST /xmlrpc.php HTTP/1.1

Multiple rapid requests to xmlrpc.php indicate an attack.

Failed Login Attempts

Large numbers of failed logins without corresponding wp-login.php access suggest XML-RPC brute force attempts.

Protection Methods

Disable XML-RPC Completely

If you do not use XML-RPC features:

Via .htaccess:

<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

Via WordPress filter:

add_filter('xmlrpc_enabled', '__return_false');

Block Specific Methods

If you need XML-RPC but want to block dangerous methods:

add_filter('xmlrpc_methods', function($methods) {
    unset($methods['pingback.ping']);
    unset($methods['pingback.extensions.getPingbacks']);
    unset($methods['system.multicall']);
    return $methods;
});

Nginx Configuration

location = /xmlrpc.php {
    deny all;
    access_log off;
    log_not_found off;
}

Rate Limiting XML-RPC

Apache mod_evasive

Configure mod_evasive to limit requests per IP to xmlrpc.php.

Nginx Rate Limiting

limit_req_zone $binary_remote_addr zone=xmlrpc:10m rate=1r/s;

location = /xmlrpc.php {
    limit_req zone=xmlrpc burst=5;
    include fastcgi_params;
}

Cloudflare Rules

Create a firewall rule to challenge or block requests to xmlrpc.php.

When You Need XML-RPC

Jetpack Requirements

Jetpack uses XML-RPC for some features. If using Jetpack, you may need to keep XML-RPC partially enabled or use Jetpack's authentication instead.

Mobile App Publishing

The WordPress mobile app historically used XML-RPC. Modern versions use the REST API instead, so XML-RPC may not be needed.

Third-Party Services

Some automation and publishing services require XML-RPC. Check if alternatives using the REST API exist.

Alternative: Use REST API

Modern Replacement

The WordPress REST API provides similar functionality with better security controls. Consider migrating integrations from XML-RPC to REST API where possible.

REST API Advantages

  • Better authentication options (OAuth, Application Passwords)
  • More granular permission controls
  • Easier rate limiting
  • Better documentation and tooling

Monitoring and Detection

Web Application Firewall

Configure your WAF to monitor and filter XML-RPC requests. WP Folder Shield's firewall detects and blocks malicious XML-RPC traffic.

Log Analysis

Regularly review logs for XML-RPC abuse patterns. Set up alerts for unusual activity.

Real-Time Blocking

Implement automatic IP blocking for IPs that send excessive XML-RPC requests.

Conclusion

XML-RPC is a significant attack vector that most WordPress sites do not need. Disable it completely if possible, or implement strict rate limiting and method restrictions if required. Monitor your logs for attack patterns and respond quickly to abuse.

Share:
S
Written by Sarah Chen

WP Folder Shield Team

Related Articles

The Ultimate Guide to WordPress Security in 2026
The Ultimate Guide to WordPress Security in 2026

Learn how to protect your WordPress website from hackers, malware, and security threats with this...

January 15, 2026
How to Scan Your WordPress Site for SEO Spam and Hidden Malicious Content
How to Scan Your WordPress Site for SEO Spam and Hidden Malicious Content

Learn effective methods to scan your WordPress site for hidden SEO spam, malicious links, and...

January 13, 2026
How to Protect Your WordPress Uploads Folder from Malware
How to Protect Your WordPress Uploads Folder from Malware

The wp-content/uploads folder is one of the most vulnerable directories in WordPress. Learn how to...

January 13, 2026

Ready to Secure Your WordPress Site?

Get complete protection with WP Folder Shield.

Get Started