SecurityHigh

XML-RPC enabled on WordPress

The xmlrpc.php file is publicly accessible and responds to requests. It is an old WordPress API, enabled by default, that most sites do not use.

Why it matters

XML-RPC allows an attacker to try thousands of login/password combinations in a single request ("multicall" attack), and can be used for amplification DDoS attacks.

How to fix

  1. 1

    Via .htaccess (recommended method)

    apache
    # Block XML-RPC
<Files xmlrpc.php>
  Order allow,deny
  Deny from all
</Files>
  2. 2

    Via a security plugin

    Wordfence, iThemes Security, or Disable XML-RPC allow disabling XML-RPC in one click from the WordPress dashboard.

  3. 3

    Via functions.php (partial disabling)

    php
    add_filter('xmlrpc_enabled', '__return_false');
  4. 4

    Exception if Jetpack is installed

    Jetpack uses XML-RPC to communicate with WordPress.com. In this case, block only the dangerous methods via the xmlrpc_methods filter rather than blocking everything.

Related articles

Securitywp-login.php exposed without protectionSecurityWordPress user enumerationSecurityVulnerabilities detected in WordPress plugins or themes

Ready to fix this issue on your site?

Audit my site for free →