What is WordPress XML-RPC and How To Stop an Attack

Join InfoPhilic Community!

Let's build a community to help & encourage each other to grow!

Let me start by introducing XML-RPC. It is a set of specification that offers a portable way to make remote procedure calls over HTTP.

Here, RPC stands for Remote Procedure Call that offers developers a mechanism for defining interfaces that can be called over a network. The client specifies some procedures and parameters in the XML request, and the server returns either a fault or a response in the XML response.

Through XML-RPC, you can integrate multiple computing environments and establish communications quickly and easily.

WordPress basically uses XML-RPC interface.

WordPress first implemented XML-RPC since WordPress 3.5. Previous versions were consisted of in the xmlrpc.php file in the root directory. To turn on XML-RPC, you had to enable it manually. It was done by following steps:

Go to Settings >> Writing >> Remote Publishing and check the checkbox.

After version 3.5, the XML-RPC is on by default in WordPress.

Now, the file has changed in functionality by a neat little class ‘wp_xmlrpc_server’. You can see this in wp-includes/class-wp-xmlrpc-server.php. It consist of 48 WordPress functions, 7 Blogger functions, 6 MetaWeblog functions, 8 MovableType functions and 4 functions for pingbacks.

Problems with WordPress XML-RPC:

Through XML-RPC, WordPress offers developers a way to build write applications that can do many of the things. But, there are two problems with it i.e., its extendability and its security.

Many WordPress attacks are exploiting the XML-RPC feature to gain access to sites. Most common type of attacks- Brute force attacks and DDoS (Distributed Denial of Service).

Brute force attacks:

Brute force attacks are most common in WordPress site. Hackers try to access your dashboard by many login attempts.

WordPress has common admin URL i.e., wp-admin. Thus, hackers took advantage of it. By using secret method of XML-RPC, attackers launch brute force attacks that are very hard to detect. The attacker exploits XML-RPC request by trying an endless number of username/ password combinations until they gain entry into your site.

DDoS (Distributed Denial of Service) attacks:

Another common type of attack is DDoS (Distributed Denial of Service).  Here, an attacker tries to launch the DDoS attack by sending a number of pingbacks requests that may hog the server and slow your site down.

Stopping attacks on WordPress XML-RPC:

However, due to some security issues, the best thing you can do to prevent attacks is to disable it.

While there is no option in the user interface and the database, thus, you have to go by the .htaccess file.

Paste the following code into your .htaccess file:

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from //(This will be your IP)

However, there are plugins available to disable XML-RPC in the plugins directory. Use one of them if required.

Note: Keep in mind that you are disabling a major API in WordPress. If you are using Jetpack, then let me remind you that Jetpack heavily relies on XML-RPC to provide its features. Disabling XML-RPC may impact Jetpack and its certain features.


I hope this article might clean up your some confusions about XML-RPC.  If you still have some doubts, let me clear them in the comment section below.

Subscribe to our newsletter

To be updated with all the latest news, offers and special announcements.

Comment Policy: Your words are your own, so be nice and helpful if you can. Please, only use your real name and limit the amount of links submitted in your comment. We accept clean XHTML in comments, but don't overdo it please.


Please enter your comment!
Please enter your name here


Start WordPress Blog: Ultimate Guide For Beginners

Here is our step by step guide for beginners to start a WordPress blog.

Top 6 Best WordPress Theme Frameworks

There are many websites themes which are created by using a framework. Likewise, WordPress Theme frameworks also becoming so popular. The framework allows you...

The Most Essential WordPress Plugins

Here, I have listed some excellent plugins which will surely add more features and new functionality to your WordPress blog.

Tips to Speed Up WordPress Performance

Here, I am sharing some tips to speed up WordPress performance. All you need to modify .htaccess file on your server and add some plugins.

The Ultimate Guide to Harden WordPress Security

Learn how to improve WordPress security. Here are some basic security concepts that will help you to harden WordPress security.

How to Setup CloudFlare Free SSL for WordPress Blog

Google has announced that they will count HTTPS as a ranking factor which means if you using HTTPS you will get a higher position...


Kinsta Hosting

Highly optimized servers for lightning-fast sites. High-security environment hack-fix guarantee. WordPress support experts at your fingertips. GRAB THIS DEAL


Get almost 100% PageSpeed on Newspaper theme

The newspaper theme is the most popular premium theme for a self-hosted WordPress blog. The theme is developed by team tagDiv. You...

How to Remove jQuery Migrate in WordPress?

jQuery Migrate greatly simplifies the process of moving older jQuery code to a higher jQuery version by identifying deprecated features. It then restores deprecated...

Tips to Speed Up WordPress Performance

Here, I am sharing some tips to speed up WordPress performance. All you need to modify .htaccess file on your server and add some plugins.

How to Properly Delete a WordPress Post or Page?

You sometimes want to delete a page from your site for many reasons. When you taking a step forward, you are going to remove...

How to create News Sitemap for WordPress site?

Learn how to create special news sitemap for your WordPress blog/ website using Yoast News SEO plugin and Jetpack plugin.

How to Prevent Invalid Activity

Publishers expect that their content should be viewed by legitimate consumers. However, criminal organizations have attacked the digital ad ecosystem with malware and other methods that...