Posted on 2 Comments

Protecting Child Sites From XML-RPC Brute Force Attacks

Protecting Child Sites From XML-RPC Brute Force Attacks

WordPress in its core has a function called XML-RPC, which a limited number of plugins still use like Jetpack. More plugins used to use it when the only method would have been to use the XML-RPC. Most plugins now use the WordPress REST API to connect to a site to pull data from it, by either read or write access.

XML-RPC is still targeted for brute force attacks on WordPress sites.

A number of CDNs like Cloudflare and Sucuri will protect XML-RPC by default. Cloudflare even offers an easy way to redirect XML-RPC to the home page of a site using a page rule, which offers an extra layer on protection.

  1. In the If the URL matches put sitedomain.com/xmlrpc.php*
  2. Choose Forwarding URL and 301 – Permanent Redirect
  3. Finally, put https://sitedomain.com for the Forwarding URL value
  4. Click Save and Deploy

A plugin option you can use is Disable XML-RPC plugin from LittleBizzy. Order and download the zip file of the plugin from their site, and then bulk install it on all child sites from the MainWP dashboard.

With the Disable XML-RPC plugin installed on the child sites, if you do attempt to go to /xmlrpc.php on the child site, it will return:

HTTP/1.1 403 Forbidden

There are a couple of other methods if you are using Apache or NGNIX on child sites.

.htaccess rule (Apache)

## block any attempted XML-RPC requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from 123.123.123.123
</Files>

Block for Ngnix.conf (NGNIX)

## block any attempted XML-RPC requests
location = /xmlrpc.php {
    deny all;
}

You can also use the Code Snippets extension then using this snippet to disable XML-RPC methods that require authentication.

Using any of these methods will help your child sites from having brute force issues related to XML-RPC.

Get MainWP News and Notifications

Sebastian Moran on Github
Sebastian Moran
Sebastian Moran is a WordPress performance expert and technical liaison for MainWP.

2 thoughts on “Protecting Child Sites From XML-RPC Brute Force Attacks

  1. MainWP don’t use XML-RPC and it is safe to disable it on dashboard and child sites? What about REST API, do you use it in any MainWP functionality?

  2. MainWP dashboard does not rely on XML-RPC or the WordPress REST API for connecting to child sites. So it is safe to disable XML-RPC on child sites. WP REST API is used heavily in the Gutenberg block editor and WooCommerce makes sure of the WP REST API for the WooCommerce REST API.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.