Protect your WordPress site from an XML-RPC attack

Protect your WordPress site from an XML-RPC attack

“Your site is under attack.”

No one likes to hear those words. Heck, we don’t like to have to deliver the bad news! Hackers are typically looking for access to your system so they can use it to send spam, mine bitcoin, launch attacks on other websites, or any number of other similar purposes. In some cases attackers do it for the “lulz,” simply because they enjoy making other people’s lives difficult.

That’s why we recommend the Stop XML-RPC Attack plugin.

What is “XML-RPC” and why would anyone want to attack it?

XML-RPC is a way for websites and applications to issue commands to each other. These commands are called Remote Procedure Calls (RPC), and they’re communicated through eXtensible Markup Language (XML).

WordPress comes with an XML-RPC service pre-installed and pre-configured for anyone to use. There are many possibilities for using this functionality, but the most common are the Jetpack plugin and the WordPress mobile app. If you use either of those, you’re already using XML-RPC behind the scenes.

Unfortunately, this ability to control your website is also a pretty sweet target for attackers through either DDoS attacks (i.e., spamming your site with pingbacks) or brute force attacks (i.e., repeatedly trying various combinations of usernames and passwords to gain access to your site). While the success rate for attacks targeting the XML-RPC service is very low, that doesn’t stop hackers from trying. And a flood of these requests can make your site very sluggish.

Stop XML-RPC Attack to the rescue!

When an XML-RPC attack happens, many people choose to block all access to the service, either in functions.php or in .htaccess. While this is effective at stopping attackers, it also stops the legitimate services from working. The Stop XML-RPC Attack plugin fixes this by allowing Jetpack and other WordPress-published applications to access XML-RPC while blocking everyone else. The plugin is smart enough to be able to track the IP addresses that Jetpack uses in real-time to ensure it’s always working.

It’s incredibly easy to install Stop XML-RPC Attack. (It probably took you longer to read this post than it will to actually do the install!)

Just follow these quick steps:

  1. Click on Plugins on your WordPress dashboard.
  2. Click Add New.
  3. Search for Stop XML-RPC Attacks.
  4. Click Install Now and then Activate.

That’s it! There are no additional settings to configure, so once it’s activated, you should be set.

To be sure everything is working as expected, check your Jetpack settings. If everything still works in Jetpack, you’re done. Your site is effectively immune to the XML-RPC attacks that might cause it to run slowly.

Frequently asked questions

1. This plugin hasn’t been updated in a while. Is it safe to use?

This is a great question, and we’re usually sticklers for only recommending plugins that have been recently updated and tested.

In this case, we’re still recommending this plugin because it’s so targeted and performs such a valuable service, improving both security and performance (because XML-RPC attacks consume server resources even when they’re not successful). And it’s a lean plugin, which means it doesn’t add a lot of coding or consume a lot of resources itself. Part of the reason it hasn’t been updated is there’s just not much to update. It’s a small, focused plugin that does its work well!

2. If I have Wordfence / Sucuri / another security plugin installed, do I still need this one?

While various security plugins may detect and stop brute force attacks, Stop XML-RPC Attacks actually disallows access to the service entirely except to whitelisted sources. That means while other security services need to spin up additional PHP services to do their blocking (which consumes additional resources), Stop XML-RPC simply blocks the requests before they even get to WordPress.

3. Can I allow additional services to use XML-RPC?

If there was one change we could make to this plugin, it would be to allow site owners to add additional IP addresses to the allowed services directly from their dashboard. Unfortunately, the plugin doesn’t have a settings area, so this isn’t possible. The plugin does provide filters that other plugins or themes can use to white list IPs or blocks of IPs (you can find a list of these filters under “Actions and Filters” on the plugin page). If you have a non-WordPress service that needs to use XML-RPC, using those filters in some custom PHP code in your theme’s functions.php file will make that happen. And if you host with us, we’re happy to help.


Installing the Stop XML-RPC Attack plugin is just one of the steps we recommend taking to keep your WordPress site secure. For our other recommendations, download our free printable security audit.

Have you experienced an XML-RPC attack?

Are you currently using this plugin? Have you blocked XML-RPC altogether in your functions.php file? We’d love to hear how you deal with XML-RPC attacks.

Protect your WordPress site from an XML-RPC attack

Joel Boonstra

Partner and Software Developer at Agathon
Joel is responsible for a variety of business management tasks, and for building internal tools for the team to use. He also uses his years of experience to help with hosting support, building software, and general troubleshooting.
Joel Boonstra

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.