CodeinWP content is free. When you purchase through referral links on our site, we earn a commission. Learn more

[Latest News] Why You Might Want to Disable XML-RPC on Your WordPress Site for Now

We all may be in danger – the Sucuri guys say.

Where by we, I mean all WordPress website owners.

This is all because of the brute force attacks that are happening right now.

Note. Brute force attacks are all about trying to break your username and password by trying out a number of username/password combinations in a short period of time.

In short, brute force attacks can be really dangerous if you don’t have a strong password in place for your user accounts.

And various login blockers don’t seem to protect us in this case. That’s because this new vulnerability can result in even 500 or more login attempts from a single (!) HTTP request.

What’s the deal exactly?

The thing is called Brute Force Amplification, and it works via WordPress’ XML-RPC mechanism. Quoting Sucuri:

“One of the hidden features of XML-RPC is that you can use the system.multicall method to execute multiple methods inside a single request. That’s very useful as it allow application to pass multiple commands within one HTTP request.”

In plain English, this sort of attack doesn’t get caught by any “limit login attempts” filters, as it only uses up a single HTTP request.

Sucuri discovered the first attacks on September 10, but the number has grown since.

How to protect your WordPress site

The  easiest solution right now is to disable XML-RPC altogether .

The simplest way of doing this is to rename the default xmlrpc.php file to something else.

The bad news is that blocking this file can affect some plugins’ functionality, especially Jetpack’s, so proceed with caution.

Okay, that’s it for the day’s news. Stay safe!

Or start the conversation in our Facebook group for WordPress professionals. Find answers, share tips, and get help from other WordPress experts. Join now (it’s free)!

Most Searched Articles

14 of the Best JavaScript Libraries and Frameworks to Try Out in 2020

In this post, we look at the best JavaScript libraries and frameworks to try out this year. Why? Well, with JavaScript being available in every web browser, this makes it the most accessible programming language of ...

50+ Best Free WordPress Themes for 2020 (Responsive, Mobile-Ready, Beautiful)

If you're looking for only the best free WordPress themes in the market for this year, then you're in the right place. We have more than 60+ such themes for you right ...

10+ Best WordPress Hosting Providers of 2020 Compared & Tested

Looking for the best WordPress hosting that you can actually afford? We did the testing for you. Here are 10 best hosts on the market ...

Handpicked Articles

How to Make a WordPress Website: Ultimate Guide for Beginners and Advanced Users Alike

Many people wonder how to make a WordPress website. They’ve heard about WordPress, its incredible popularity, excellent features and designs, and now they want to join the pack and build a WordPress website of their own. So, where does one get ...

How to Start an eCommerce Business From Scratch (In 10 Steps)

Is 2020 going to be the year you learn how to start an eCommerce business from scratch? You’re certainly in the right place! This guide will give you a roadmap to getting from 0 to a fully functional eCommerce business. ...

Scroll to Top