Website security is a tough thing to solve in the right way. Specifically with security issues related to XML-RPC – as commonly exploited in attacks on WordPress sites. There’s a lot of information available on the internet providing all kinds of solutions, but which are correct? In this article will explain the how, the solutions out there, and what actually is the best solution. Let’s dive in!


XML-RPC for WordPress was designed to enable remote connections between your site and external applications. This means users are able to interact with their WordPress site through different blogging platforms or phone apps. This was useful in the earlier days of the internet when a person would want to edit content offline, and then connect to their WordPress blog later to publish it.

There are certain situations where users would want to use XML-RPC. However, with advances in technology, the use and functionality of XML-RPC have been greatly reduced since its inception. As such, the original pros that this feature gave, have become outweighed by the potential security risks that are involved by leaving it enabled.

How Vicious Hackers Can Be With xmlrpc.php File?

Using XMLRPC, hackers leverage the Remote Procedure Calls (RPC) and invoke functions to fetch the data they want. In the majority of the WordPress sites, the xmlrpc.php the file is easily traceable, and just by sending arbitrary XML data, hackers control the site to run the code they have prepared to execute a certain type of attack.

To understand how WordPress XMLRPC is compromised, let’s look at the most popular cyberattacks associated with it.

  • Brute Force Attacks – Where an attacker can use XML-RPC to test hundreds of username and password combinations until they are eventually able to gain access to your site. This occurs because XML-RPC does not have the same login attempt limit that exists when you log into WordPress normally. If you would like to find out more about WordPress Brute Force Attacks click here
  • DDoS Attack – Where an attacker can use XML-RPC to ping back thousands of IPs. This allows them to send a flood of data and traffic which can cause overages and even have networks paralyzed and shut down. If you would like to know more about WordPress DDoS Attack click here
  • Cross-Site Port Attack (XSPA) – Where an attacker can inject the malicious script to retrieve information on TCP ports and IP addresses. To know more about XSPA click here

Ineffective Methods of Blocking XMLRPC Attacks

So far in the article, we have established that the xmlrpc.php file is prone to some serious cyber-attacks such as DDoS, Bruteforce, and Cross-site Port Attack, therefore, it is crucial to handle it properly to block these attacks.

By Deleting the XMLRPC Completely

You can simply delete the XMLRPC file that will make your server start throwing 404 errors at anyone trying to access it. The downside of this solution is that the file will be re-created every time you update WordPress.

By Disabling the XMLRPC Completely

The other more viable option is to disable the xmlrpc.php file. You can do this by simply adding the block of code inside your .htaccess file. Make sure you do this before the never-changing .htaccess rules added by WordPress.

There are many security plugins, that you can install to prevent this kind of attack, but that is not the best option. If you would like to know more about why it is not the best option click here

How to Lockdown xmlrpc.php in WordPress

In our opinion, the best option for locking down and securing the WordPress site is by using .htaccess if you would like to secure your website click here