XML-RPC: The WordPress Weakness You Didn't Know You Had

XML-RPC: The WordPress Weakness You Didn’t Know You Had 4 min read

Audience: WordPress Developers, Site Administrators


WordPress is the most popular Content Management System (CMS) on the internet. As it supports some 74 million websites across the web, it has undoubtedly become a major target for hackers. There are a few ways to protect your WordPress website from unwanted intruders but what about the security issues you have no idea existed? Enter XML-RPC.


What is XML-RPC?

This is a fancy term for a remote procedure call (RPC) that uses XML as the data format. It’s something that WordPress uses throughout the core to remotely execute functions. Specifically, WordPress uses XML-RPC to interact with the WordPress API.


Many site owners, and often developers, have no idea that it even exists — which is a problem. XML-RPC can be exploited by attackers to overwhelm your databases and bring your entire server coming to a halt.


How do I protect against XML-RPC attacks?

There are two basic ways to protect your site: JetPack (a plugin developed by the WordPress team) or you can disable XML-RPC at the server level. We’ll stick with the easier version — using JetPack — as it doesn’t require any server-level access. If you want to try it the hard way, and know the caveats, I suggest you check out this article on DigitalOcean. It covers a few more advanced topics out of the scope of this article.


The first step: Download and install JetPack. You can do this through the WordPress interface itself or upload and install the plugin manually (woof). Once it’s installed and configured (you’ll need a WordPress.org account to connect JetPack to your website), simply click the “Settings” submenu under JetPack.


This will bring up a full listing of all the JetPack modules that you have installed. The one we’re looking for is called “Protect“.




And bam! You’re done.


Man, that was easy.

Why yes — yes it was. This will proactively stop brute-force attacks against hitting your site’s xmlrpc.php file which if hit with enough force, will bring your server down. I recommend making sure this is installed on every website you run as JetPack will work to block the offending IPs and retain a record of it.


Have no idea what this means for you? Feel free to leave comments below or contact us directly to help with your WordPress site management.


Related Posts