How to Protect WordPress from XML-RPC Attacks

Posted on February 1st, 2017

WordPress is the most popular Content Management System. This popularity makes WordPress a perfect target for hackers. The most common attack faced by a WordPress site is XML-RPC attack.


Recognizing an XML-RPC Attack

1) Randomly “Error establishing database connection” error is displaying on the WordPress site.

2) “Out of memory” error in the web console.

3) “Cannot open the file no such file/directory” error in web server error log.

4) “POST /xmlrpc.php HTTP/1.0” error in webserver access log.


What is XML-RPC?

WordPress utilizes a remote execution call called XML-RPC that is used to exchange information between computer systems over a network. XML-RPC is a remote procedure call that uses HTTP for transport and XML for encoding. This functionality can be exploited to send thousands of brute force attack in a short time. Hackers try to login to WordPress admin portal using xmlrpc.php with any username/password. Xmlrpc.php allows hackers to guess hundreds of passwords with only 3 or 4 HTTP requests leading to a high database load. Then your WordPress site will randomly go down and parse the error “error establishing database connection”


Command to search XML-RPC attack in different Linux distribution

For apache on centos:

# grep xmlrpc /var/logs/httpd/access.log

For apache on Ubuntu:

# grep xmlrpc /var/logs/apache2/access.log

For cPanel server

# grep xmlrpc /home/username/logs/access.log

For nginx server:

# grep xmlrpc /var/logs/nginx/access.log

If the WordPress site is facing attack, then the output of the above command will be similar to

“POST /xmlrpc.php HTTP/1.0” 200 674 “-” “Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)”


Blocking XML-RPC attack

We can block XML-RPC attack in different ways.


1)  Manually block the xmlrpc in the .htaccess file

Here you can deny the access of xmlrpc file from all users. Simply paste the following code in the .htaccess file in the website document root.

# Block WordPress xmlrpc.php requests

<Files xmlrpc.php>

order deny,allow

deny from all


# END protect xmlrpc.php


2)Manually block xmlrpc in webserver document root.

For Apache paste the code in the configuration file.


<files xmlrpc.php>

order allow,deny

deny from all




For Nginx paste the below code in the configuration file.

server {

location /xmlrpc.php {

deny all;



After editing the configuration files you need to restart the webserver in order to enable the changes.


3) Installing Jetpack Plugin.

Jetpack plugin for WordPress will block the XML-RPC requests. After enabling the jetpack plugin, you will still see the XML-RPC entries in the web server access log. The plugin reduces the load on the database from these malicious logs.


Verify Attack diminution

After enabling Jetpack plugin, the XML-RPC content is still remaining on the access log of the web server. The plugin reduces the load of the database and the plugin will block the attacking IP addresses. If you manually block the XML-RPC in webserver configuration file or in the .htaccess file, your logs will still show the requests, but the resulting error code will be something other than 200. It will be 403,500 or 404. Then the result is similar to the code below.

“POST /xmlrpc.php HTTP/1.1” 403 291 “-”674 “-” “Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)”

By reducing the malicious XML-RPC traffic your WordPress site will be more secure and it consumes fewer system resources. As a result, the WordPress site stays online.



If you need any further assistance please contact our support department.



Leave a Reply