Protect yourself from a WordPress XML-RPC attack

WordPress is one of the most common blogging and content‑management systems today. It is also a favorite target for attackers, and a typical attack vector is to look for weak passwords on the administrator account. By using the WordPress API, an attacker can try a very large number of passwords in a short period of time.

If many attempts are made against a WordPress site that runs on a less powerful server, problems can quickly arise. Both CPU and memory may become exhausted, causing visitors to lose access to the website.

This guide helps protect you against the vulnerability described above.

The file xmlrpc.php is the one most frequently called by attackers. The simplest mitigation is to block access to that file. You can do this by editing your .htaccess file and adding the appropriate directives below, depending on which version of Apache you are running.

Instructions for Apache2 version 2.2

# BEGIN protect xmlrpc.php
<files xmlrpc.php>
order allow,deny
deny from all
</files>
# END protect xmlrpc.php

Instructions for Apache2 version 2.4

# BEGIN protect xmlrpc.php
<files xmlrpc.php>
Require all denied
</files>
# END protect xmlrpc.php

More information and general tips

Please note that for the .htaccess file to have any effect, the Apache server needs to have AllowOverride AuthConfig in the virtual host's configuration. For example, this can look like below:

Tip: There are also several WordPress plugins available for managing XML‑RPC in various ways: https://wordpress.org/plugins/search/xml+rpc/