> For the complete documentation index, see [llms.txt](https://docs.glesys.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.glesys.com/products/compute/guides-for-server-management/protect-yourself-from-a-wordpress-xml-rpc-attack.md).
# Protect yourself from a WordPress XML-RPC attack
***
WordPress is one of the most common blogging and content‑management systems today. It is also a favorite target for attackers, and a typical attack vector is to look for weak passwords on the administrator account. By using the WordPress API, an attacker can try a very large number of passwords in a short period of time.
If many attempts are made against a WordPress site that runs on a less powerful server, problems can quickly arise. Both CPU and memory may become exhausted, causing visitors to lose access to the website.
This guide helps protect you against the vulnerability described above.
The file `xmlrpc.php` is the one most frequently called by attackers. The simplest mitigation is to block access to that file. You can do this by editing your `.htaccess` file and adding the appropriate directives below, depending on which version of Apache you are running.
## Instructions for Apache2 version 2.2
{% code title=".htaccess" %}
```
# BEGIN protect xmlrpc.php
order allow,deny
deny from all
# END protect xmlrpc.php
```
{% endcode %}
## Instructions for Apache2 version 2.4
{% code title=".htaccess" %}
```
# BEGIN protect xmlrpc.php
Require all denied
# END protect xmlrpc.php
```
{% endcode %}
## More information and general tips
**Please note** that for the `.htaccess` file to have any effect, the Apache server needs to have `AllowOverride AuthConfig` in the virtual host's configuration. For example, this can look like below:
<VirtualHost *:443>
ServerName my-test.site
ServerAdmin webmaster@my-test.site
DocumentRoot /var/www/my-test.site
<Directory /var/www/my-test.site>
Options Indexes FollowSymLinks
AllowOverride AuthConfig
Require all granted
</Directory>
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/my-test.site/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my-test.site/privkey.pem
</VirtualHost>
**Tip:** There are also several WordPress plugins available for managing XML‑RPC in various ways:
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.glesys.com/products/compute/guides-for-server-management/protect-yourself-from-a-wordpress-xml-rpc-attack.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.