[Latest News] Why You Might Want to Disable XML-RPC on Your WordPress Site for Now

We all may be in danger – the Sucuri guys say.

Where by we, I mean all WordPress website owners.

This is all because of the brute force attacks that are happening right now.

Note. Brute force attacks are all about trying to break your username and password by trying out a number of username/password combinations in a short period of time.

In short, brute force attacks can be really dangerous if you don’t have a strong password in place for your user accounts.

And various login blockers don’t seem to protect us in this case. That’s because this new vulnerability can result in even 500 or more login attempts from a single (!) HTTP request.

What’s the deal exactly?

The thing is called Brute Force Amplification, and it works via WordPress’ XML-RPC mechanism. Quoting Sucuri:

“One of the hidden features of XML-RPC is that you can use the system.multicall method to execute multiple methods inside a single request. That’s very useful as it allow application to pass multiple commands within one HTTP request.”

In plain English, this sort of attack doesn’t get caught by any “limit login attempts” filters, as it only uses up a single HTTP request.

Sucuri discovered the first attacks on September 10, but the number has grown since.

How to protect your WordPress site

The  easiest solution right now is to disable XML-RPC altogether .

The simplest way of doing this is to rename the default xmlrpc.php file to something else.

The bad news is that blocking this file can affect some plugins’ functionality, especially Jetpack’s, so proceed with caution.

Okay, that’s it for the day’s news. Stay safe!

Say hi on

Adelina Tuca

Writer and WordPress blogger at ThemeIsle, CodeinWP, and Revive Social. When I'm not creating content, I'm either hiking, attending a metal concert, reading a book, or watching tennis.
Say hi on
  • Gary

    I’m using the WordPress plugin “Stop XML-RPC Attack”. They claim it allows trusted services such as jetpack to still function, but blocks all others. Is this a good idea? What do you think?

    • andrewteg

      Gary, there is an older article at http://geektnt.com/how-to-disable-xmlrpc-php.html that shows many different ways to block XML-RPC and weighs the pros and cons of each. The plugins it mentions likely block JetPack but I’m not sure.

      Deleting/renaming the file is actually the least secure as it will come back when you update WP so I feel a plugin is better but am curious what the CodeInWP team says too. If you need JetPack, you’ll probably have to go the plugin route, but if not, I personally suggest htaccess or httpd.conf if you have access to that over a plugin since an admin may disable a plugin. You may want to ask the plugin authors if you can use theirs as a Must Use Plugin so it can’t be disabled. Read more on that at https://codex.wordpress.org/Must_Use_Plugins

      Lastly, if you or anyone else does edit httpd.conf then you may need to use “Require all denied” instead of “Order Deny, Allow” and “Deny from all” depending on your Apache version. You can usually look for the “” directive that comes default in Apache to disable browsing of htaccess files and just copy what is in that directive.

      • Thanks for this comment, Andrew!

        Basically, like you’re saying, deleting the file will cause it to appear back when you update the platform. However, the idea is that the problem could hopefully be fixed with the next update, so having the xmlrpc file restored might not be a bad thing.

        That being said, those plugin solutions do seem to make sense.

        • HZ

          What i do is keep copies of wordpress core files that I modify. When I’m doing an upgrade to a newer version of wordpress I compare the new files to my version and manually update the newer wordpress files to incorporate MY changes…. I never blindly upgrade wordpress.

  • Enstine Muki

    I had this disabled and JetPack was useless. Is there way around this that still allows Jetpack to function.

    Looks really scary 😉