How to protect WordPress from XML-RPC attacks

XML-RPC is a remote procedure call protocol. As the name implies, it uses XML (Extensible Markup Language) to encode the calls that are made via HTTP.

In WordPress, XML-RPC support is enabled by default and is used to allow users to post blog posts via Weblog Clients. Read more about the WordPress XML-RPC feature on the codex page. The file used by WordPress is xmlrpc.php, file located at the root of the installation.

During a WordPress XML-RPC attack, the attacker will try to log into the installation via brute-force – by using lists or random usernames and passwords. The attacker will generate a lot of requests to xmlrpc.php, requests that can easily increase the server load. Many times, a huge number of IPs is used (from already compromised websites/PCs) to launch such attacks, so blocking IPs will not be a viable solution.

As an end-user, there are two ways to block access to xmlrpc.php file. You can search for a plugin https://wordpress.org/plugins/tags/xmlrpc/ or you can simply block access by a rule to the .htaccess file.

wordpress xmlrpc attack
WordPress XML-RPC codex

Steps to block XML-RPC attacks with .htaccess:

1. Log into your web hosting account cPanel/DirectAdmin/Plesk or to your FTP account

2. Edit the WordPress .htaccess file. Add the following lines at the top:

<Files "xmlrpc.php">
Require all denied
</Files>

Now, any request to the xmlrpc.php file, regardless of the host IP, will be blocked. A 403 HTTP message will be returned by the server

Forbidden
You don't have permission to access this resource.

To test if the block is working, just access https://yourdomain.com/xmlrpc.php

If you have a VPS or a dedicated server with many websites, you can block XML-RPC access by adding the above code to the /home/.htaccess file.

Resources:

Wikipedia XML-RPC
WordPress XML-RPC codex
Apache access control directives

Leave a Reply