Stop XML-RPC Bruteforce Attacks by using MainWP

Heads up: This page may include affiliate links. Read the full disclosure.

Late last week the Sucuri security blog announced that have seen a large uptick in brute force attacks on WordPress sites using XML-RPC and today we’ll go over 3 very quick and easy ways to turn off XML – RPC on all your MainWP Child sites.

The Sucuri Blog goes into great detail on how the attack works and I recommend you check that out if you want the full details.

MainWP does not communicate with your Child sites through XML-RPC so it is safe to turn it off without affecting MainWP usability . However some plugins, such as Jetpack, do in which case you will want to verify how your site will be affected before turning it off.

If you have the iThemes Security Extension:

  1. Go to Extensions –> iThemes Security Extension –> Settings
  2. Find the WordPress Tweaks section and locate XML-RPC
  3. Select either “Only Disable TrackBacks/Pingbacks” or “Completely Disable XMLRPC”
  4. Save all Changes

This turns on that iThemes setting for all your Child sites

ithemes-xmlrpc

If you have the Wordfence Extension:

Edit: According to the link provided Dr.Wayne Buckhanan from the Wordfence Blog these steps are irrelevant since their plugin stops the attack automatically WordPress XML-RPC Brute Force Attacks with multiple logins.

we did not need to modify Wordfence to provide protection against this attack. It simply protects you out of the box.

Note: this one did take a bit to find so if you have an easier way using Wordfence please leave it in the comments

  1. Go to Extensions –> Wordfence Extension –>Wordfence Settings
  2. Find Security Level
  3. Select Level 4: Lockdown
  4. Save Settings

This turns on that Wordfence setting for all your Child sites

Install a plugin to block XML-RPC

If you do not have the iThemes or Wordfence Extension you can turn off XML-RPC by using a plugin such as Disable XML-RPC which automatically turns XML-RPC as soon as it is activated

  1. Go to MainWP Dashboard –> Plugins –> Install (/wp-admin/admin.php?page=PluginsInstall)
  2. Search “Disable XML-RPC” in the Search field
  3. Be sure to select “Activate plugin after installation”
  4. Select all the sites you want to install it on from the right
  5. Press install now for Disable XML-RPC

This twill turn off XML-RPC on all your Child Sites

Picture of Dennis Dornon

Dennis Dornon

Hi, I'm Dennis Dornon! As the creator and co-founder of MainWP, my team has helped thousands of web professionals streamline their WordPress maintenance workflow.

1 thought on “Stop XML-RPC Bruteforce Attacks by using MainWP”

  1. Another option is:
    https://wordpress.org/plugins/disable-xml-rpc-littlebizzy/

    And can generate the 403 Denied error for any request to xmlrpc.php file.

Comments are closed.

Related Posts

Administrators Love MainWP

I have been using various management tools for WordPress, but after switching to MainWP I finally have found my sweet spot. Easy to use, privacy focussed, customizable with addons that make life easier... Read More...

Antal Hendrix van Spronsen

Owner at Blauwe Nacht

MainWP makes it easy to stay on top of the websites you manage. I like that it's not a 3rd-party platform out of my control, but that everything is plugin-based. With other services in the market,... Read More...

Jan Koch

Founder at WP Mastery

As a digital agency, we depend on a reliable solution to manage our clients' websites. We have tested various tools and found that MainWP is the best solution for us. One of the biggest advantages is the... Read More...

Sebastian Lochbronner

Founder at Lochbronner Design Studio

Read more MainWP Testimonials

MainWP Affiliate Disclosure: Some of the links contained in the post or pages are “affiliate links.” This means if you click on the link and purchase or subscribe to a recommended item, We will receive an affiliate commission. We only recommend products or services we believe have value to MainWP users and readers. This is disclosed in accordance with the Federal Trade Commission’s 16 CFR, Part 255: “Guides Concerning the Use of Endorsements and Testimonials in Advertising.
© MainWP - WordPress Management without the SaaS! 2014 - 2024 - Terms of Service - Privacy Policy - Cookie Policy - Support Policy - Refund Policy - MainWP Domain Use - DPA
Facebook Twitter Trello Users

Looking for something?

Search MainWP support and documentation.

Privacy laws apply to businesses that collect personal information. Since no personal information is collected by the MainWP plugins, no privacy laws apply to the MainWP plugins. This includes GDPR, UK DPA 2018, PIPEDA, Australia Privacy Act 1988, LGPD, PIPL, and other privacy laws.
Donata Stroink-Skillrud
Donata Stroink-Skillrud
President of Agency Attorneys

Your Download Is Just One Click Away

…or just download the plugin.

By entering your email, you agree to our Terms of Service and Privacy Policy.