We use cookies to understand how you interact with our site, to personalize and streamline your experience, and to tailor advertising. By continuing to use our site, you accept our use of cookies and accept our Privacy Policy.

Your Digital Commerce Experts
Nexcess Logo

Stopping an XML-RPC WordPress Attack for Admins

January 26, 2022



Keep your site safe from XML-RPC WordPress attacks! Learn how they happen and how to prevent them with insights for admins regarding the XML-RPC protocol.

Stopping an XML-RPC WordPress Attack

XML-RPC attacks are among the most common attacks on various WordPress websites. Here you’ll learn what XML-RPC protocol is, what it is used for, what these attacks are, how they happen and how to prevent them. 

The Nexcess Knowledge Baseprovides additional information about WordPress sites and our Managed WordPress and Managed WooCommerce platforms.

What is XML-RPC?

XML-RPC is a remote procedure call protocol that uses HTTP as a transport mechanism and encodes its calls using XML. XML is a language that defines rules for encoding documents and is both human-readable and machine-readable. RPC is a way for a call from one location (device) to trigger the execution of a routine or a function in another location (server). It was created in 1998 and allowed for sending and receiving of encoded, potentially complex, or nested data structures via HTTP requests. 

XML-RPC and Its Role within WordPress Installations

XML-RPC is one of the core WordPress features which allows remote access to otherwise inaccessible sections of the WordPress dashboard. For example, if you wanted to post to your site from a mobile device since your computer wasn’t nearby, you could do that using various third-party applications (Windows Live Writer was one of them). XML-RPC is a protocol that would allow the connection between a remote third-party application and the WordPress installed on your website. There was an option to disable XML-RPC in earlier WordPress versions, but with the release of WordPress mobile applications, this option’s been enabled by default (since WordPress version 3.5). There isn’t a built-in functionality that would allow you to disable XML-RPC.

XML-RPC functionality is implemented through the xmlrpc.php file, which can be found in the document root directory of any WordPress site. Even though it’s a default feature, the file's functionality and size have significantly decreased, and it doesn’t play as large of a role as it did earlier. 

Problematic Nature of XML-RPC in WordPress

In the past, some RPCs have been exploited. One of the examples would be a massive Microsoft virus known as MSBlast or W32.Blaster.Worm which caused significant chaos on Windows computers, from August 2003. Nowadays, it presents a security risk for XML-RPC attacks on WordPress sites. Randomized passwords and usernames that aren’t the default “admin” user are still a good security practice, but they will not do much good against XML-RPC attacks. Namely, there are two main weaknesses that have been exploited in the past. 

Malicious visitors would use the xmlrpc.php file for brute force attacks that might allow them access to your site. A single command can be effectively used to test hundreds of different passwords. Usually, the primary user that would be exploited is the administrator user with the username “admin”. The xmlrpc.php file allows hackers to bypass the usual security measures to prevent brute force attacks towards the main wp-login.php file. For other ways to avoid compromises on your site, see How can I prevent my site from being compromised?

The second weakness was bringing sites down through a DDoS attack. The pingback WordPress feature allows hackers to simultaneously send pingbacks to thousands of sites. This weakness is a feature of xmlrpc.php that gives hackers an endless supply of different IP addresses to distribute the DDoS attack over. 

How to Check if XML-RPC is Enabled on Your Site

If the XML-RPC is enabled, you’ll be able to run plugins like Jetpack or apps that allow remote access to your WordPress site’s backend, like mobile apps. If you’re not using any of those plugins or apps, it’s still possible XML-RPC is enabled on your website, and as such, presents a vulnerability. There are a couple of ways to check this, but these are two of the easiest ways to check:

  1. You can visit the website https://webdogs.com/xml-rpc-validator/:

    1. Once there, you can paste in your website’s URL, such as https://example.com/xmlrpc.com.

    2. Do not enter any credentials.

    3. If you’ve got the message Congratulations! Your site passed the first check.” it means XML-RPC is enabled on your site. It is active, visible, working, and a possible vulnerability on your site.

  2. You can go to the xmlrpc.php page on your website. If you see the “XML-RPC server accepts POST requests only.” message, XML-RPC is enabled on your website:



How to Stop XML-RPC attacks

The easiest and quickest way to stop XML-RPC attacks on your website is to entirely block access to the xmlrpc.php file. That can be achieved using various plugins or adding a block directly to the site’s htaccess file. It can also be achieved by deleting the file itself, but any future core update would recreate the file, and you’d need to delete it over and over again. More articles about security features and possible modifications can be found here. Since WordPress is a very popular content management system, it is necessary to take additional precautions regarding its security. 

There are plenty of different plugins available that should help with this. Still, before installing any, we’d suggest checking if it’s compatible with the version of WordPress your website is running. 



Should you wish to stop XML-RPC attacks by making changes to the .htaccess file directly, you’ll need to log in via SSH or FTP, locate the .htaccess file and paste the following at the top of it:


# START XML-RPC BLOCKING
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
allow from 127.0.0.1
</Files>
# FINISH XML-RPC BLOCKING


In case your site is using Jetpack, you’ll need to whitelist its IP addresses so the plugin can function as intended: 

# START XML-RPC BLOCKING
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
allow from 127.0.0.1
#AUTOMATTIC jetpack etc
allow from 192.0.64.0/18
errordocument 401 default
errordocument 403 default
errordocument 404 default
errordocument 411 default
</Files>
# FINISH XML-RPC BLOCKING


If you’re unsure how to proceed regarding these instructions, our support team will be happy to assist you!

Useful WordPress Links for Developers & Admins

Next Steps?

Read more about the Fully Managed WordPress Hosting and its benefits for your business.

Build Better Websites with Fully Managed WordPress Hosting 

It’s hosting optimized for WordPress. That means a faster, more secure and scalable website. Smart monitoring tools are built-in to help you keep it that way. 

It’s why WordPress Users Trust Nexcess Hosting.

We also have a variety of Nexcess support articles about WordPressincluding how to get your site going with a number of different configuration options. These resources include a great article on setting this up for Migrating to Nexcess with managed WordPress and managed WooCommerce hosting

24-Hour Assistance

If you need any assistance with the above-mentioned, don't hesitate to reach out. For 24-hour assistance any day of the year, Nexcess customers can contact our support team by email or through your Client Portal.

Useful YouTube > Nexcess Channel Links

Resources for More Information

Need more help? With regards to security topics, The Security, PCI DSS, SSL, SSHand WordPress sections within the Nexcess Knowledge Base are important resources. The Applications, WooCommerceand Other Best Practices sections contain valuable insights for those seeking additional knowledge about applications. Or, check out our related articles below.

New Customers: Fully Managed Hosting Solutions

Not a Nexcess customer yet? Check out our fully managed hosting solutions. The option to chat with an expert is also available.

Related Articles

Paul Stubblefield
Paul Stubblefield


Nexcess Knowledge Base Owner
Content Marketing in Nexcess Digital Marketing
Nexcess, A Liquid Web Brand

Paul Stubblefield
— Technical Writer & Knowledge Management Professional

"Delivering the next generation of life-enhancing technology platforms, software solutions, and mobile-ready applications for technology pioneers, thought leaders, and market innovators in a robustly connected world."

Paul lives in Bonita Springs, Florida, USA. He is an aficionado of art, coffee, good-natured humor, lifelong learning, music, nature, pets, technology, world cultures, and his Zen Patio Garden project.