Recently there have been more XML RPC attacks that are sophisticated ways to brute force get your password without using the wp-login or registration form. You can read all about it at Succuri’s Blog here.

How does it work

Basically they use the system.multicall to  put hundreds of username password attacks in one HTTP request thanks to the built-in XML RPC access for external blogging using a editor elsewhere or loading of external data. This is a huge deal and I am looking into all sites I work with to decide what I can do to eradicate this type of attacks.

Fully Block / Disable XML RPC

To solve this problem you can either add a full block using a plugin to disable xml rpc or add this code to .haccess.

[html]

<files xmlrpc*="">
order deny,allow
deny from all
</files>

[/html]

Do understand that if you have any plugin like Jetpack depending on XML RPC they will cease to function properly so tread carefully!

Functions.php XML RPC Method Filter

A more subtle method is adding this PHP code to your child theme’s functions file:

https://gist.github.com/jasperf/5af96a93ab937380ad6b

Still some of the plugins you use might depend on some of these methods. So good to get in touch with the plugin authors to find out.

WordFence

If the site in question is already running WordFence you do not have to worry about XML RPC Attacks. As long as the plugin is active and the login filter is on all will be blocked even with the free version. See the full story on this on their blog here.

Bonus

To check if XML RPC is working you can check out this website .