WebHostingPeople Blog

How Can We Help?

How to Protect WordPress from XML-RPC Attacks

You are here:

WordPress is the most popular Content Management System. This popularity makes WordPress a prime target for hackers. The most frequent attack faced by a WordPress website is XML-RPC attack.

Identifying an XML-RPC Attack

1) The WordPress website displays the random “Error establishing database connection” error.

2) An “Out of memory” error occurs in the web console.

3) A “Can’t open the file no such file/directory” error appears in the web server error log.

4) A “POST /xmlrpc.php HTTP/1.0” error is logged in the web server access log.

What is XML-RPC?

WordPress utilizes a remote execution call known as XML-RPC that is used to exchange information between computer systems over a network. XML-RPC is a remote procedure call that utilizes HTTP for transport and XML for encoding. This functionality can be exploited to launch thousands of brute force attacks in a short period of time. Hackers attempt to log in to the WordPress admin portal using xmlrpc.php with any username/password. Xmlrpc.php enables hackers to guess hundreds of passwords with just three or four HTTP requests, leading to a high database load. As a result, your WordPress website will experience intermittent outages and display the “error establishing database connection” error.


Command to search for XML-RPC attack in various Linux distribution

For Apache on CentOS:

# grep xmlrpc /var/logs/httpd/access.log

For Apache on Ubuntu:

# grep xmlrpc /var/logs/apache2/access.log

For cPanel server:

# grep xmlrpc /home/username/logs/access.log

For Nginx server:

# grep xmlrpc /var/logs/nginx/access.log

If the WordPress website is under attack, then the output of the above command will be similar to:

“POST /xmlrpc.php HTTP/1.0” 200 674 “-” “Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)”


Blocking XML-RPC attack

We can block XML-RPC attack in various ways.

1)  Manually block the xmlrpc in the .htaccess file

Here, you can deny access to the xmlrpc file from all users. Simply paste the following code in the .htaccess file in the website’s document root.

# Block WordPress xmlrpc.php requests

<Files xmlrpc.php>

order deny,allow

deny from all


# END protect xmlrpc.php

2) Manually block xmlrpc in webserver document root.

For Apache, paste the code in the configuration file.


<Files xmlrpc.php>

order allow,deny

deny from all



For Nginx, paste the below code in the configuration file.


location /xmlrpc.php

deny all;

After modifying the configuration files, you need to restart the webserver to enable the changes.

3) Installing Jetpack Plugin.

Jetpack plugin for WordPress will block the XML-RPC requests. After enabling the Jetpack plugin, you will still see the XML-RPC entries in the web server access log. However, the plugin reduces the database load caused by these malicious requests.

Verification of Attack Diminution

After enabling the Jetpack plugin, the XML-RPC content still remains in the access log of the web server. The plugin reduces the load on the database and it will block the attacking IP addresses. If you manually block the XML-RPC in webserver configuration file or in the .htaccess file, your logs will still show the requests, but the resulting error code will be something other than 200. It will be 403, 500 or 404. Then, the output is similar to the code below.

“POST /xmlrpc.php HTTP/1.1” 403 291 “-” 674 “-” “Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)”

By reducing the malicious XML-RPC traffic, your WordPress website will be more secure and consume fewer system resources. Consequently, the WordPress website remains online.

If you need any further assistance, please contact our support department.

Post Your Comment