Block XML RPC Attacks

Recently there have been more XML RPC attacks that are sophisticated ways to brute force get your password without using the wp-login or registration form. You can read all about it at Succuri’s Blog here.

How does it work

Basically they use the system.multicall to  put hundreds of username password attacks in one HTTP request thanks to the built-in XML RPC access for external blogging using a editor elsewhere or loading of external data. This is a huge deal and I am looking into all sites I work with to decide what I can do to eradicate this type of attacks.

Fully Block / Disable XML RPC

To solve this problem you can either add a full block using a plugin to disable xml rpc or add this code to .haccess.


<files xmlrpc*="">
order deny,allow
deny from all


Do understand that if you have any plugin like Jetpack depending on XML RPC they will cease to function properly so tread carefully!

Functions.php XML RPC Method Filter

A more subtle method is adding this PHP code to your child theme’s functions file:

Still some of the plugins you use might depend on some of these methods. So good to get in touch with the plugin authors to find out.


If the site in question is already running WordFence you do not have to worry about XML RPC Attacks. As long as the plugin is active and the login filter is on all will be blocked even with the free version. See the full story on this on their blog here.


To check if XML RPC is working you can check out this website .

Tagged in : Tagged in : ,
Jasper Frumau

Jasper has been working with web frameworks and applications such as Laravel, Magento and his favorite CMS WordPress including Roots Trellis and Sage for more than a decade. He helps customers with web design and online marketing. Services provided are web design, ecommerce, SEO, content marketing. When Jasper is not coding, marketing a website, reading about the web or dreaming the internet of things he plays with his son, travels or run a few blocks.