Protecting Child Sites From XML-RPC Brute Force Attacks

Protecting Child Sites From XML-RPC Brute Force Attacks

WordPress in its core has a function called XML-RPC, which a limited number of plugins still use like Jetpack. More plugins used to use it when the only method would have been to use the XML-RPC. Most plugins now use the WordPress REST API to connect to a site to pull data from it, by either read or write access.

XML-RPC is still targeted for brute force attacks on WordPress sites.

A number of CDNs like Cloudflare and Sucuri will protect XML-RPC by default. Cloudflare even offers an easy way to redirect XML-RPC to the home page of a site using a page rule, which offers an extra layer on protection.

  1. In the If the URL matches put*
  2. Choose Forwarding URL and 301 – Permanent Redirect
  3. Finally, put for the Forwarding URL value
  4. Click Save and Deploy

A plugin option you can use is Disable XML-RPC plugin from LittleBizzy. Order and download the zip file of the plugin from their site, and then bulk install it on all child sites from the MainWP dashboard.

With the Disable XML-RPC plugin installed on the child sites, if you do attempt to go to /xmlrpc.php on the child site, it will return:

HTTP/1.1 403 Forbidden

There are a couple of other methods if you are using Apache or NGNIX on child sites.

.htaccess rule (Apache)

## block any attempted XML-RPC requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from

Block for Ngnix.conf (NGNIX)

## block any attempted XML-RPC requests
location = /xmlrpc.php {
    deny all;

You can also use the Code Snippets extension then using this snippet to disable XML-RPC methods that require authentication.

Manage all your WordPress sites with the MainWP Dashboard

WordPress Management for Professionals

Are you ready to go Pro?

All MainWP Pro Extensions are available through one of our convenient bundled packages.

Using any of these methods will help your child sites from having brute force issues related to XML-RPC.

2 thoughts on “Protecting Child Sites From XML-RPC Brute Force Attacks”

  1. MainWP don’t use XML-RPC and it is safe to disable it on dashboard and child sites? What about REST API, do you use it in any MainWP functionality?

  2. MainWP dashboard does not rely on XML-RPC or the WordPress REST API for connecting to child sites. So it is safe to disable XML-RPC on child sites. WP REST API is used heavily in the Gutenberg block editor and WooCommerce makes sure of the WP REST API for the WooCommerce REST API.

Comments are closed.

Looking for something?

Your Download Is Just One Click Away

…or just download the plugin.

By entering your email, you agree to our Terms of Service and Privacy Policy.