Protecting Child Sites From XML-RPC Brute Force Attacks

WordPress in its core has a function called XML-RPC, which a limited number of plugins still use like Jetpack. More plugins used to use it when the only method would have been to use the XML-RPC. Most plugins now use the WordPress REST API to connect to a site to pull data from it, by either read or write access.

XML-RPC is still targeted for brute force attacks on WordPress sites.

A number of CDNs like Cloudflare and Sucuri will protect XML-RPC by default. Cloudflare even offers an easy way to redirect XML-RPC to the home page of a site using a page rule, which offers an extra layer on protection.

1. In the If the URL matches put sitedomain.com/xmlrpc.php*
2. Choose Forwarding URL and 301 – Permanent Redirect
3. Finally, put https://sitedomain.com for the Forwarding URL value
4. Click Save and Deploy

A plugin option you can use is Disable XML-RPC plugin from LittleBizzy. Order and download the zip file of the plugin from their site, and then bulk install it on all child sites from the MainWP dashboard.

With the Disable XML-RPC plugin installed on the child sites, if you do attempt to go to /xmlrpc.php on the child site, it will return:

HTTP/1.1 403 Forbidden

There are a couple of other methods if you are using Apache or NGNIX on child sites.

.htaccess rule (Apache)

## block any attempted XML-RPC requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from 123.123.123.123
</Files>

Block for Ngnix.conf (NGNIX)

## block any attempted XML-RPC requests
location = /xmlrpc.php {
    deny all;
}

You can also use the Code Snippets extension then using this snippet to disable XML-RPC methods that require authentication.

Using any of these methods will help your child sites from having brute force issues related to XML-RPC.