What is WordPress XML-RPC and How To Stop an Attack

Let me start by introducing XML-RPC. It is a set of specification that offers a portable way to make remote procedure calls over HTTP.

Here, RPC stands for Remote Procedure Call that offers developers a mechanism for defining interfaces that can be called over a network. The client specifies some procedures and parameters in the XML request, and the server returns either a fault or a response in the XML response.

Through XML-RPC, you can integrate multiple computing environments and establish communications quickly and easily.

WordPress basically uses XML-RPC interface.

WordPress first implemented XML-RPC since WordPress 3.5. Previous versions were consisted of in the xmlrpc.php file in the root directory. To turn on XML-RPC, you had to enable it manually. It was done by following steps:

Go to Settings >> Writing >> Remote Publishing and check the checkbox.

After version 3.5, the XML-RPC is on by default in WordPress.

Now, the file has changed in functionality by a neat little class ‘wp_xmlrpc_server’. You can see this in wp-includes/class-wp-xmlrpc-server.php. It consist of 48 WordPress functions, 7 Blogger functions, 6 MetaWeblog functions, 8 MovableType functions and 4 functions for pingbacks.

Problems with WordPress XML-RPC:

Through XML-RPC, WordPress offers developers a way to build write applications that can do many of the things. But, there are two problems with it i.e., its extendability and its security.

Many WordPress attacks are exploiting the XML-RPC feature to gain access to sites. Most common type of attacks- Brute force attacks and DDoS (Distributed Denial of Service).

Brute force attacks:

Brute force attacks are most common in WordPress site. Hackers try to access your dashboard by many login attempts.

WordPress has common admin URL i.e., wp-admin. Thus, hackers took advantage of it. By using secret method of XML-RPC, attackers launch brute force attacks that are very hard to detect. The attacker exploits XML-RPC request by trying an endless number of username/ password combinations until they gain entry into your site.

DDoS (Distributed Denial of Service) attacks:

Another common type of attack is DDoS (Distributed Denial of Service).  Here, an attacker tries to launch the DDoS attack by sending a number of pingbacks requests that may hog the server and slow your site down.

Stopping attacks on WordPress XML-RPC:

However, due to some security issues, the best thing you can do to prevent attacks is to disable it.

While there is no option in the user interface and the database, thus, you have to go by the .htaccess file.

Paste the following code into your .htaccess file:

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from //(This will be your IP)

However, there are plugins available to disable XML-RPC in the plugins directory. Use one of them if required.

Note: Keep in mind that you are disabling a major API in WordPress. If you are using Jetpack, then let me remind you that Jetpack heavily relies on XML-RPC to provide its features. Disabling XML-RPC may impact Jetpack and its certain features.


I hope this article might clean up your some confusions about XML-RPC.  If you still have some doubts, let me clear them in the comment section below.

Amit Malewarhttps://www.infophilic.com/
Amit Malewar has been the tutorial writer since 2013. His passion for helping people in all aspects of technology flow through in the expert coverage he provides. In addition to writing for InfoPhilic, Amit loves to read and try new things.


Subscribe to our newsletter

To be updated with all the latest news, offers and special announcements.


Please enter your comment!
Please enter your name here