One day I got a bunch of notifications from my WordPress security plugin that some IP addresses were blocked because of multiple incorrect login attempts. By itself, this is nothing to wonder at – after all, WordPress is the platform most targeted by hackers simply because it’s so popular. What was surprising, was that it shouldn’t have been possible on my site.
I use a special technique to hide my login page from anyone how doesn’t know an exact sequence of characters. It’s not just “site.com/wp-login.php”. So how come hackers were able to even attempt to log in? It didn’t make sense. So I pulled up the raw access logs from cPanel, and searched for the blocked addresses to see what they had accessed.
And of course, I should have seen it coming – it was xmlrpc.php.
What is xmlrpc.php?
Complex details aside, XML-RPC is a special protocol that allows 3rd parties to interact with your site. With it, you can make connections to other sites, and integrate their features with yours. The popular Jetpack plugin is probably the most conspicuous user of XML-RPC, but other sites can be as well.
While a great idea in theory, the fact is that xmlrpc.php is a favorite target for attackers. Since it provides a programmatic way to login, attackers can literally attempt to log in hundreds of times in a very short period. This is unlike a regular web page, where you first need to wait for the page to load etc.
If you don’t take any measures, XML-RPC attacks will slow down your site, might get you penalized by your web host, and possibly compromise your security.
Method 1: Enable the Jetpack Protection Module
This is probably the most “lite” step to take. You probably already have Jetpack installed on WordPress. If you don’t, you should! It’s got a bunch of useful features, and can also double up as a CDN. Once you’ve installed it, click the Settings on the left-hand side of the admin dashboard and go to the “Security” tab. Here, scroll down till you see the section “Brute force attack prevention”, and turn the switch on as shown here:
Jetpack will take some measures to ensure that brute force attacks via XML-RPC will be stopped before they become a problem. This doesn’t disable XML-RPC, but tries to prevent its abuse.
But it might not be enough.
Method 2: Block XML-RPC Entirely
The second idea is to simply block XML-RPC. Other than Jetpack, you probably don’t use it anyway. And if you don’t have Jetpack, best to disable it altogether.
To do this, open your .htaccess file. It’s not easy to do this from WordPress, but if you have the Yoast SEO plugin installed, there’s an easy way. Just go to “SEO” in the dashboard, click “Tools”, and choose the “File editor” as shown here:
This will allow you to edit your .htaccess file. Paste the following code into it and save your changes.
<files xmlrpc.php> Order allow,deny Deny from all </files>
This will simply deny access to xmlrpc.php to everyone. Problem solved! But what if you want to use Jetpack? Since it’s such a popular plugin, we need a way to allow Jetpack’s servers to access XML-RPC.
Method 3: Whitelisting Jetpack
Instead of the code above, we can whitelist Jetpack’s IP address range using the following code:
<Files xmlrpc.php> Order allow,deny Allow from 192.0.64.1/192.0.127.254 Deny from all Satisfy All ErrorDocument 403 http://127.0.0.1/ </Files>
Now whenever someone tries to directly access xmlrpc.php, they’ll see this:
And that’s it! You’ve successfully secured your site from XML-RPC attacks!
I’m a NameHero team member, and an expert on WordPress and web hosting. I’ve been in this industry since 2008. I’ve also developed apps on Android and have written extensive tutorials on managing Linux servers. You can contact me on my website WP-Tweaks.com!
MishiG says
Hi Bhagwad!
It seems to be working almost perfectly, but it does not show 403 just an empty page at this IP http://127.0.0.1/. Do I need to change this ip in the file?
Bhagwad Park says
What you can do is create a 403.html file in your directory and use that URL instead of http://127.0.0.1/ in the .htaccess file.
Alex Neihaus says
Or, instead of causing a redirect just have Apache output some text:
…
ErrorDocument 403 Forbidden!
…
For example: https://www.yobyot.com/xmlrpc.php
Nice tip
Marcus says
How did you end up setting up the block for xmlrpc? I would like to do something similar, since I’m getting a lot of unwanted requested and I can’t disable xmlrpc because of jetpack.
Thanks,
Julian says
Hey Bhagwad,
Jetpack support told me that their IP address can and is likely to change in the future so, we would have to check and update this rule to make sure Jetpack still works.
Bhagwad Park says
This is true. Unfortunately, Automattic doesn’t maintain a textfile with their current IP list like Cloudflare, so this rule might need to be updated at regular intervals…
Arsie Organo Jr says
Hi Bhagwad,
If I use this code below:
Order allow,deny
Deny from all
I just want to confirm if it will also block me from trying to login remotely to my wp-admin page?
Steve Ervin says
how would you use the remote admin panel plugins with this?
Eric says
I have blocked xml-rpc and Jetpack still works.
Grant Crawley says
Automattic does have an official file with the Jetpack IP range, you can get it from https://jetpack.com/ips-v4.txt