How to protect your WordPress from XML-RPC attack

WordPress is the most popular Content Management System. This popularity makes WordPress a perfect target for hackers. The most common attack faced by a WordPress site is XML-RPC attack. The WordPress XML-RPC is a specification that aims to standardize communications between different systems. It uses HTTP as the transport mechanism and XML as encoding mechanism which allows for a wide range of data to be transmitted. Today in this tutorial I will show you how to protect your WordPress from XML-RPC attack.

The Problems with XML-RPC

The two biggest assets of the API is its extendability and its security. XML-RPC authenticates with basic authentication. It sends the username and password with each request.

XML-RPC Attacks

Randomly “Error establishing database connection” error is displaying on the WordPress site.
“Out of memory” error in web console.
“Cannot open the file no such file/directory” error in web server error log.
“POST /xmlrpc.php HTTP/1.0” error in webserver access log.

Blocking XML-RPC attack

If you don’t use XML-RPC at all, perhaps the best thing you can do is disable it via plug-in or you can do this with code by adding the following to a plugin or theme:

add_filter( 'xmlrpc_enabled', '__return_false' );

Add Following code in .htacess file

<files xmlrpc.php>
order allow,deny
deny from all


location ~* ^/xmlrpc.php$ {
	return 403;
How to check WordPress XML-RPC?

If your try to open, it will show forbidden.