If you manage a WordPress website, you may have come across a file named xmlrpc.php. While this file was once essential for enabling remote communication with WordPress, it has become one of the most commonly targeted endpoints by attackers.
xmlrpc.php is a legacy WordPress component originally designed to enable remote communication between WordPress and external applications. While it served an important purpose in earlier versions of WordPress, most of its functionality has been replaced by the WordPress REST API.
As XML-RPC is frequently targeted for brute-force login attempts, pingback abuse, and DDoS-related attacks, it represents an unnecessary security risk for many websites. If your website does not specifically rely on XML-RPC, disabling it is a straightforward and effective way to improve your WordPress security posture.
How to Check If Your Website Uses XML-RPC
Method 1: Access the Endpoint Directly
Visit:
https://yourdomain.com/xmlrpc.php
If XML-RPC is enabled, you will typically see a response similar to:
XML-RPC server accepts POST requests only.
Example:
This indicates the endpoint is active.
Security Risks of xmlrpc.php
xmlrpc.php is a WordPress-specific file that, if left enabled, can be actively exploited in two damaging ways.
1. Amplified Brute Force Attacks:
XML-RPC's system.multicall function lets attackers bundle hundreds of password guesses into a single request — instead of making 500 separate login attempts, they make just one. This makes attacks dramatically faster and bypasses most security tools that only monitor the standard login page (/wp-login.php).
2. DDoS Amplification:
Attackers can exploit WordPress's pingback feature to weaponize your site against others. By sending malicious pingback requests to thousands of WordPress sites, they trick all of them into simultaneously flooding a victim's server — taking it offline. Your site could unknowingly participate in this attack, risking account suspension or IP blacklisting by your host.
How to Disable xmlrpc.php
- From your WordPress dashboard, navigate to Plugins > Add New.
- In the search bar, type “Disable XML-RPC”.
- You will see several options. A popular and highly-rated choice is “Disable XML-RPC” by Philip Erb.
ex: https://wordpress.org/plugins/disable-xml-rpc/ , https://wordpress.org/plugins/disable-xml-rpc-api/ - Click “Install Now” and then “Activate”.
That’s it. Once activated, the plugin adds the necessary code to completely disable all XML-RPC functionality.
Reference:
- https://www.youtube.com/watch?v=P2vK7l-tFvo
- https://elementor.com/blog/xmlrpc-php-in-wordpress/
- https://wpmarmite.com/en/xmlrpc-wordpress/
| alert-warning |
WP SMTP vulnerabilities are highly prevalent in WordPress environments. While this article addresses the XML-RPC issue observed in your case, it may not be the only risk. Other WordPress core or plugin-related vulnerabilities could also be contributing to the compromise. We recommend a full security audit of your WordPress installation and plugins to rule out additional threats. See our full Security Vulnerability Reference Guide |
Conclusion
xmlrpc.php is a legacy WordPress component originally designed to enable remote communication between WordPress and external applications. While it served an important purpose in earlier versions of WordPress, most of its functionality has been replaced by the WordPress REST API.
Because XML-RPC is frequently targeted for brute-force login attempts, pingback abuse, and DDoS-related attacks, it represents an unnecessary security risk for many websites. If your website does not specifically rely on XML-RPC, disabling it is a straightforward and effective way to improve your WordPress security posture.