Posted on 1 Comment

Stop XML-RPC Bruteforce Attacks by using MainWP

Late last week the Sucuri security blog announced that have seen a large uptick in brute force attacks on WordPress sites using XML-RPC and today we’ll go over 3 very quick and easy ways to turn off XML – RPC on all your MainWP Child sites.

The Sucuri Blog goes into great detail on how the attack works and I recommend you check that out if you want the full details.

MainWP does not communicate with your Child sites through XML-RPC so it is safe to turn it off without affecting MainWP usability . However some plugins, such as Jetpack, do in which case you will want to verify how your site will be affected before turning it off.

If you have the iThemes Security Extension:

  1. Go to Extensions –> iThemes Security Extension –> Settings
  2. Find the WordPress Tweaks section and locate XML-RPC
  3. Select either “Only Disable TrackBacks/Pingbacks” or “Completely Disable XMLRPC”
  4. Save all Changes

This turns on that iThemes setting for all your Child sites


If you have the Wordfence Extension:

Edit: According to the link provided Dr.Wayne Buckhanan from the Wordfence Blog these steps are irrelevant since their plugin stops the attack automatically WordPress XML-RPC Brute Force Attacks with multiple logins.

we did not need to modify Wordfence to provide protection against this attack. It simply protects you out of the box.

Note: this one did take a bit to find so if you have an easier way using Wordfence please leave it in the comments

  1. Go to Extensions –> Wordfence Extension –>Wordfence Settings
  2. Find Security Level
  3. Select Level 4: Lockdown
  4. Save Settings

This turns on that Wordfence setting for all your Child sites

Install a plugin to block XML-RPC

If you do not have the iThemes or Wordfence Extension you can turn off XML-RPC by using a plugin such as Disable XML-RPC which automatically turns XML-RPC as soon as it is activated

  1. Go to MainWP Dashboard –> Plugins –> Install (/wp-admin/admin.php?page=PluginsInstall)
  2. Search “Disable XML-RPC” in the Search field
  3. Be sure to select “Activate plugin after installation”
  4. Select all the sites you want to install it on from the right
  5. Press install now for Disable XML-RPC

This twill turn off XML-RPC on all your Child Sites

Get MainWP News and Notifications

Dennis Dornon on Twitter
Dennis Dornon
Co-founder at MainWP
I am neither a coder nor a designer. My coding confession.

1 thought on “Stop XML-RPC Bruteforce Attacks by using MainWP

  1. Another option is:

    And can generate the 403 Denied error for any request to xmlrpc.php file.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.