TopSeoTutWordpressHow to Protect WordPress from XML-RPC DDoS Attacks

How to Protect WordPress from XML-RPC DDoS Attacks

Protect Wordpress from xmlrpc DDos Attack
Protect Wordpress from xmlrpc DDos Attack

What is RPC?

RPC (Remote Procedure Call) is a small extension to start connections call step between different applications or different machines.

What is XML-RPC?

Essentially it allows you, through the XML-RPC protocol to post, edit and publish pages from a desktop application like BlogDesk, MarsEdit and ScribeFire. In other words, its used for remotely publish your content from your desktop. Most users doesn’t need WordPress XML-RPC application, and it’s one of the most popular backdoor causes for attacking.

Whats is DDos attack ?

DDoS (Distributed Denial of Service) is an attempt to make an online website unavailable by crushing it with huge massive traffic from multiple sources.

What is the Best Ways to Protect WordPress from xmlrpc Brute Force Attacks?

There are many ways to block and disable access to xmlrpc as well as pingback and trackbacks, like .httacces and themes function modification or even plugin but i will try to explain it simply by the following 5 steps to prevent any confusing.

  • Disable Pingback Function
  • Remove xmlrpc.php Linkback
  • Disable XML-RPC WordPress Plugin
  • Modify Themes Function
  • Block Access to xmlrpc by .httaccess

#1: How to Disable Pingback in your WordPress Setting?

First and simple step is disable pingbacks in your wordpress which is enabled by default, just open your site dashboard then go to Settings->Discussion and remove this option “Allow link notifications from other blogs (pingbacks and trackbacks)” then save your changes.

Disable pingback trackbacks

#2: How to Remove xmlrpc.php linkback from your header?

Open your site dashboard then go to Appearance->Editor->Header.php then Find and remove this line.

<link rel="pingback" href="<?php bloginfo( 'pingback_url' ); ?>">

Remove xmlrpc link from header

#3: What is the Best Plugin to Disable XML-RPC API Service?

Disable XML-RPC plugin it just simply disables XML-RPC API in WordPress, which is enabled by default.
All you have to do, is just activate it after installation from Plugins->Add New and type “disable xml rpc pingback” in search box (developed By Philip Erb).

Disable XML-RPC plugin

#4: Modify Themes function to block access for XML-RPC

If you don’t like to install additional plugin in your site, just add one of the following code at the end of your themes function file functions.php, keep in mind both codes do the same of the Disable XML-RPC plugin.

add_filter('xmlrpc_enabled', '__return_false');


add_filter( 'xmlrpc_methods', function( $methods ) {
    unset( $methods[''] );
    return $methods;
} );

filter code functions

#5: How to Block Access to xmlrpc by .httaccess Modify?

if you would like to block access to xmlrpc.php file, just add following code at the end of .httaccess file

<IfModule mod_alias.c>
    RedirectMatch 403 /xmlrpc.php

Alternate way for .httaccess file (its my favorite one)

<Files xmlrpc.php>
    Order Deny,Allow
    Deny from all

if you would like to block access for everyone but allowed for your ip, use the following code and replace “11/22/33/44” with your own PC IP.

<Files xmlrpc.php>
    Order Deny,Allow
    Deny from all
    Allow from 11/22/33/44

XMLRPC Best Practices

  • Be smart and fight malicious attacks and don’t surrender.
  • You have to learn daily for how to close all backdoors in your site.
  • You have to be sure 100% of fix after each step completed by testing the results manually.
  • Be ware of .httacces modification file because you may block other useful pages by mistake.


  1. I’ve been surfing online more than 2 hours today, yet I never found any interesting article like
    yours. It is pretty worth enough for me. In my view, if all web owners and bloggers
    made good content as you did, the net will be much more useful
    than ever before.

Most Popular

Recent Comments