InfoPhilic WordPress What is WordPress XML-RPC and How To Stop an Attack

What is WordPress XML-RPC and How To Stop an Attack

Let me start by introducing XML-RPC. It is a set of specification that offers a portable way to make remote procedure calls over HTTP.

Here, RPC stands for Remote Procedure Call that offers developers a mechanism for defining interfaces that can be called over a network. The client specifies some procedures and parameters in the XML request, and the server returns either a fault or a response in the XML response.

Through XML-RPC, you can integrate multiple computing environments and establish communications quickly and easily.

WordPress basically uses XML-RPC interface.

WordPress first implemented XML-RPC since WordPress 3.5. Previous versions were consisted of in the xmlrpc.php file in the root directory. To turn on XML-RPC, you had to enable it manually. It was done by following steps:


Go to Settings >> Writing >> Remote Publishing and check the checkbox.

After version 3.5, the XML-RPC is on by default in WordPress.

Now, the file has changed in functionality by a neat little class ‘wp_xmlrpc_server’. You can see this in wp-includes/class-wp-xmlrpc-server.php. It consist of 48 WordPress functions, 7 Blogger functions, 6 MetaWeblog functions, 8 MovableType functions and 4 functions for pingbacks.

Problems with WordPress XML-RPC:

Through XML-RPC, WordPress offers developers a way to build write applications that can do many of the things. But, there are two problems with it i.e., its extendability and its security.

Many WordPress attacks are exploiting the XML-RPC feature to gain access to sites. Most common type of attacks- Brute force attacks and DDoS (Distributed Denial of Service).

Brute force attacks:

Brute force attacks are most common in WordPress site. Hackers try to access your dashboard by many login attempts.

WordPress has common admin URL i.e., wp-admin. Thus, hackers took advantage of it. By using secret method of XML-RPC, attackers launch brute force attacks that are very hard to detect. The attacker exploits XML-RPC request by trying an endless number of username/ password combinations until they gain entry into your site.

DDoS (Distributed Denial of Service) attacks:

Another common type of attack is DDoS (Distributed Denial of Service).  Here, an attacker tries to launch the DDoS attack by sending a number of pingbacks requests that may hog the server and slow your site down.

Stopping attacks on WordPress XML-RPC:

However, due to some security issues, the best thing you can do to prevent attacks is to disable it.

While there is no option in the user interface and the database, thus, you have to go by the .htaccess file.

Paste the following code into your .htaccess file:

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from //(This will be your IP)

However, there are plugins available to disable XML-RPC in the plugins directory. Use one of them if required.

Note: Keep in mind that you are disabling a major API in WordPress. If you are using Jetpack, then let me remind you that Jetpack heavily relies on XML-RPC to provide its features. Disabling XML-RPC may impact Jetpack and its certain features.


I hope this article might clean up your some confusions about XML-RPC.  If you still have some doubts, let me clear them in the comment section below.

Amit Malewar
Amit Malewar has been the tutorial writer since 2013. His passion for helping people in all aspects of technology flow through the expert coverage he provides. In addition to writing for InfoPhilic, Amit loves to read and try new things.

Comment Policy: Your words are your own, so be nice and helpful if you can. Please, only use your real name and limit the amount of links submitted in your comment. We accept clean XHTML in comments, but don't overdo it please.


Please enter your comment!
Please enter your name here



Get almost 100% PageSpeed on Newspaper theme

The newspaper theme is the most popular premium theme for a self-hosted WordPress blog. The theme is developed by team tagDiv. You can buy...

How to Remove jQuery Migrate in WordPress?

Learn how to remove jQuery Migrate from your WordPress site.

WP Super Cache Plugin: Best Settings & Configuration Guide

A cache plugin serves static contents to the visitor, which improves page load speed. There are so many cache plugins available in the WordPress plugin...

How To Reduce Admin-Ajax Server Load In WordPress

To increase better user experience, we always end up by increasing site speed. After clicking a website link seems like a simple thing. But...

How to configure WP-Rocket plugin for WordPress site

When it comes to optimizing your website, the role of caching in WordPress can never be underestimated. What exactly is caching all about? We know...


Backup Buddy

BackupBuddy is the original WordPress backup plugin that you can install on any self-hosted WordPress site.