XMLRPC WordPress Attacks

What is XMLRPC? How can it be used to attack your WordPress install? And how can we protect ourselves?

XML-RPC is an API connection that WordPress has to allows developers to login and manage your website content. If enabled, this API allows attacked unlimited access to brute force your website login 24x7. Attackers can use this programming interface to either brute force account logins or take down your website by issuing a DoS attack. Unless you’re sure your website is using this feature, you should disable it. If you are using it, work with your developer to only allow specific IP access to xmlrpc.php via your .htaccess file or other content filter.

How to block XML-RPC attacks

With BruteBank you can disable the XML-RPC API to prevent attackers from brute forcing your login credentials quickly and easily. Simply login to your WordPress admin, navigate to the BruteBank plugin settings, and toggle the “Disable XMLRPC” option “On”.

Taking it further

If you’d like to block XMLRPC requests before they are processed by PHP, you can stop all of the requests using an .htaccess file. Edit your .htaccess file in the root of your website and add the following code:

<FilesMatch "^xmlrpc.php$">
  Require all denied


Be sure to disable XML-RPC on WordPress by using the BruteBank plugin or an .htaccess file to deny all xmlrpc.php requests. It will greatly increase the security of your website and protect your content.

Stay Informed

Subscribe to our newsletter for updates and upcoming releases. We won't share your information. Period.