Blocking XML-RPC Attacks in WordPress
XML-RPC is a remote procedure call protocol built into WordPress that has been repeatedly exploited for brute force attacks and DDoS amplification.
What is XML-RPC?
XML-RPC (xmlrpc.php) is a legacy API in WordPress that allows external applications to communicate with your site. It was originally built for blogging clients, the WordPress mobile app, and Jetpack. Today it is largely superseded by the WordPress REST API.
Why XML-RPC is Dangerous
- Brute force amplification — XML-RPC's system.multicall method allows an attacker to test hundreds of passwords in a single HTTP request, bypassing rate-limiting.
- Pingback DDoS — attackers can use your site's pingback endpoint to flood third-party sites with requests, making your server an unwitting participant in attacks.
- Remote code execution vectors — several historical WordPress vulnerabilities were exploited through XML-RPC.
How WP 1 Click LockDown Disables XML-RPC
The plugin disables XML-RPC at the WordPress application layer using two hooks:
- xmlrpc_enabled filter — returns false, disabling all XML-RPC functionality.
- pre_option_enable_xmlrpc filter — returns 0, ensuring the option stored in the database also reflects the disabled state.
- Pingback-specific methods (pingback.ping, pingback.extensions.getPingbacks) are removed from the XML-RPC methods array at runtime.
Does Disabling XML-RPC Break Anything?
For most sites: no. The WordPress mobile app now uses the REST API. Jetpack can be configured to use OAuth authentication. If you are using a plugin or service that specifically requires XML-RPC, see our guide on XML-RPC and Jetpack conflicts.
If you disable XML-RPC and notice a plugin or service stopping working, re-enable XML-RPC temporarily, identify which service needs it, and check if that service offers a REST API alternative.
Was this article helpful?
Need more help? Contact our support team →