XML-RPC is enabled by default in WordPress because it helps connecting your WordPress site with web and mobile apps.

However because of it’s powerful nature, XML-RPC can significantly amplify the brute-force attacks.

What does "amplified brute-force attack" mean?

This means instead of trying thousands of usernames and password combinations via login page, hackers can use the XML-RPC protocol in conjunction with the system.multicall method that allows them to:

  • Go undetected by normal brute-force mitigation products
  • Try hundreds of thousands of username and password combinations with few XML-RPC requests.

Recommendation: If you don’t use XML-RPC at all, perhaps best thing you can do is to disable it.

How to block brute force login attacks over XML-RPC

You can have Shield to help you with this. Simply go to the Shield => Settings => Lockdown module => API & XML-RPC => and enable "Disable The XML-RPC System" option:

You’ll now be protected against any possible XML-RPC brute force login attacks.

Hint: If you want to check and confirm XML-RPC functionality is disabled, you can

  1. Go to: http://xmlrpc.eritreo.it/
  2. Enter your WordPress site URL in the ‘Address’ field
  3. Click the ‘Check’ button.

You should receive a response page detailing how your XML-RPC server isn’t available.

What are the implications of disabling the WordPress XML-RPC system?

You should be aware of what may be affected by disabling the XML-RPC system on your WordPress site:

  • Certain JetPack plugin functionality will be impacted
  • The mobile Android/IOS apps will be broken with your site since they run over the XML-RPC system
  • Any other system or plugin that uses your site’s XML-RPC system to communicate and operate your site.

Note: General Settings of the Shield contains an option to allow login through XML-RPC to by-pass accounts management rules. To access this option, please go to the Shield => Settings => General => Plugin Defaults => XML-RPC Compatibility. This is offered for users who want to be compatible with other services (as outlined above).

To learn more about XMP-RPC, read this blog article here.