Block WordPress xmlrpc.php attack

WordPress is the most used CMS solution in the world, which is also used by White House websites, corporate website websites, newspaper websites, and shopping malls. Because the source code is open and an open structure, there are countless themes and plug-ins, and the market is also formed. At the same time, many attacks can occur.

WordPress security plugin blocked too many login attempts today. To use the WordPress app and JetPack, I had to use xml rpc, so I didn't block it, but today I tried to block xml rpc.



(image source)



Block admin login by trying to hack

I received the following email today. It means that too many login attempts with the wrong id were blocked.


A lockdown event has occurred due to too many failed login attempts or invalid username:
Username: ****
IP Address:

IP Range: 3.26.0.*

Log into your site's WordPress administration panel to see the duration of the lockout or to unlock the user.


All In One WP Security WordPress PluginI set various security options, such as trying to log in with , but it was sent by a child.


The login page URL of the WordPress admin page is fixed. And since WordPress is usually installed with the name admin, it tries to access the administrator account by accessing wp-admin and changing the password to the admin ID.

I changed the administrator account ID to something else, and I also changed the administrator login page with a plugin. So I couldn't log in, so I figured out why this happened.


XML RPC pingback attack


Looking at the Apache access log, the blocked IP kept calling xmlrpc.php. – – [22/Jun/2021:05:32:16 +0000] “POST /xmlrpc.php HTTP/1.1” 200 443 – – [22/Jun/2021:05:32:17 +0000] “POST /xmlrpc.php HTTP/1.1” 200 443 – – [22/Jun/2021:05:32:17 +0000] “POST /xmlrpc.php HTTP/1.1” 200 443 – – [22/Jun/2021:05:32:18 +0000] “POST /xmlrpc.php HTTP/1.1” 200 443 – – [22/Jun/2021:05:32:18 +0000] “POST /xmlrpc.php HTTP/1.1” 200 443 – – [22/Jun/2021:05:32:18 +0000] “POST /xmlrpc.php HTTP/1.1” 200 443 – – [22/Jun/2021:05:32:19 +0000] “POST /xmlrpc.php HTTP/1.1” 200 443 – – [22/Jun/2021:05:32:19 +0000] “POST /xmlrpc.php HTTP/1.1” 200 443 – – [22/Jun/2021:05:32:20 +0000] “POST /xmlrpc.php HTTP/1.1” 200 443


This is called when doing a trackback or remotely accessing and writing a post. I found Used to attack other servers via my serverSays It is causing pingback traffic from my blog to other blogs.


According to the description of the plug-in, it is said that xml rpc scans network ports as well as DoS attacks. Blocking this can also reduce traffic.


This setting adds a directive to your .htaccess to disable access to the wordpress xmlrpc.php file, which is responsible for the XML-RPC functionality of wordpress.

Hackers can exploit various vulnerabilities in the WordPress XML-RPC API in several ways, including:

1) Denial of Service (DoS) attack

2) Hack internal router.

3) Scan ports on the internal network to get information from various hosts.

In addition to the security protection benefits, this feature can help reduce the load on the server, especially if your site has a lot of unsolicited traffic affecting the XML-RPC API in your current installation.

Note: You need to enable this feature only if your current WordPress installation does not use the XML-RPC feature.

If you want to disable this feature and pingback protection but still need XMLRPC, use the feature below.


Use of xmlrpc.php in WordPress


Trackbacks and Pingbacks

Around 2.0, when Web 2005 was in full swing, blogs started to become active, and I used to write with trackbacks on other blog posts.

I don't use it these days, so I think I can block it.



Using My Blog as a WordPress App

Around 2005, there was a time when remote posting became popular as a blogin app on Windows or Mac. Even if it is not a separate blogging app, you can connect to my site with the WordPress app to write articles and receive comment notifications.

I open xmlrpc because I sometimes write drafts with the WordPress app. I don't use it often, so it might be okay to block it.


Using the JetPack plugin

It is a plug-in made by the company that made WordPress. It has a security function, an image cdn function, and a statistical function. To use the JetPack plugin, xml-rpc must be enabled.

Google Analytics is used for usage statistics, and a plugin made in WordPress to prevent comment abusing is used. I use the function that this plug-in sends an email when there is only one server connection not available.

It's more annoying than getting a pingback attack, but I'll have to manually check if I can access the site from time to time.



Disable xmlrpc.php

There is no option to disable this in the WordPress admin function or in wp-config.php.

I think I should delete the xmlrpc.php file, but I found it again when I update WordPress. this is not the way

I found the following way.


Disable XML-RPC plugin

Just like WordPress, it has plugins. It is a plugin that disables xml-rpc. The simplest way.


Change the .htaccess file

If you can access the .htaccess file of the WordPress server, add the following:


# BEGIN protect xmlrpc.php order allow,deny deny from all # END protect xmlrpc.php


web server conf settings

If you can access httpd.conf of the Apache server, you can add the following content.

Require all denied #ErrorDocument 403 /403.html


If you use nginx, refer to this articleDo it.



Add filter to your theme's function.php

Add the following code to the function.php of the child theme.

add_filter('xmlrpc_enabled', false);


Since there is such a thing, it would be good if you can configure it in wp-config.php.


All In One WP Security WordPress Plugin

So far, the method is to disable xml-rpc. However, all firewall functions of this plug-in can be blocked, and only pings from xml rpc can be blocked.

It seems to let you use the WordPress app or JetPack.

In the figure below, if you disable the pingback function in XMLRPC, you can use the WordPress app and Jetpack.



Note: If you are using Jetpack or WordPress iOS or any other app, you should enable this feature but leave the “Block completely for XMLRPC” checkbox unchecked.

This feature still allows XMLRPC functionality on the site, but disables the pingback method.

This feature removes the “X-Pingback” header even if it is present.



The easiest way to do this is to block it with a plugin. I don't use plugins and once blocked with .htaccess . I'm trying not to use .htaccess, so I'm planning to block it with web server conf or child theme's function.php in the future.



0 If you like the article, please click the heart~ It will be a strength to bloggers (SNS/login/advertising is not related)

Articles you might like

Push-Up Star: Push-Up Counter

Automatic push-up measurement and voice count, various types of push-up measurement and push-up speed analysis, police officers, military fitness test, military academy, student health fitness assessment (POPs), etc. automatically calculated

Add a Comment

Email addresses are not disclosed. Required items *is indicated by

This posting is part of Coupang Partners' activities, and a certain amount of commission is provided accordingly.