Disabling XML-RPC to Reduce Brute Force and DDos Attacks

It is surprisingly common to miss out on security measures while developing a WordPress website. Unfortunately, most hackers are aware of this and try to attack websites to exploit security mishaps. Most hackers use XML-RPC files to exploit weaker websites, using brute force and DDoS attacks.

The XML-RPC (WordPress API) is accessible to the public for communication purposes. This API allows the user (developer) to use WordPress services for mobile applications and other services outside the website. For example, can run the following services through XML-RPC:

  • Publish a post
  • Edit a post
  • Delete a post
  • Upload a new file (e.g. an image for a post)
  • Get a list of comments

Since last two years, XML-RPC have been receiving brute force and DDos ping-back attacks. The brute force attack consumes the server’s resources and makes your website inaccessible. To overcome this situation, it is recommended to disable XML-RPC file by using .htaccess file.

To disable the XML-RPC file, paste the following code in .htaccess file (located in root directory) of your website:

Note: If the access to XML-RPC file is disabled, your website services will not remain accessible to the developer through APIs. For accessing your website APIs, you can whitelist your IP address.

You can give access to XML-RPC file through a whitelisted IP address by using the following code in .htaccess file:

User Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

    Get in Touch