How to Reduce Attacks Against WordPress XMLRPC
Hey fellow bloggers and WordPress lovers. I’m here with some bad news today, but hopefully we can get through it together.
Over the past few weeks, but specifically over the last couple of days, I’ve noticed a ton of hits toward many of my clients’ XMLRPC.php files. After looking it over and confirming my findings on the Sucuri blog, I realized there is an uptick in brute force attacks going on.
This one is not good since they are using the ever vulnerable xmlrpc.php file to orchestrate this brute force attack. While I hate brute force attacks, they still happen each and every day on WordPress because people don’t take the right precautions. Mostly keeping the “admin” username and not using really good passwords.
Related: How to block access to wp-login.php
If you have a problem remembering passwords, use a service like LastPass to generate and hold your passwords. You can create some really complex ones.
How to Put a Stop to These Brute Force Attacks
Since they are targeting the xmlrpc.php file, then it would be wise to just put a stop to that. Unfortunatley, many people use the Jetpack plugin, but I would still recommend blocking it. I’ve used Jetpack and had this code in my .htaccess file before and you can still get stats. It’s more important to have the protections than the features in Jetpack.
While it would be wise for your host to put a stop to this, many shared hosting services do not put these protocols in place. Services like Bluehost or Hostgator will rely on your to block access to xmlrpc.php. Other hosts like BigScoots and SiteGround will do it for you.
If you have access to your cPanel in your hosting account, then you need to navigate to the file manager and make sure to click the box “show hidden dot files”.
Once you get into the file manager, look for .htaccess and then click “edit.”
It will open a text editor and you need to enter this information at the top of your file:
deny from all
Hit save and then you’re good. That will block access to xmlrpc.php. If you have Jetpack and you want to keep some of the features, you can put this code in:
Deny from all
Allow from wordpress.com
While it would be nice to just be able to use a plugin like Wordfence to stop these attacks, they are not hitting the wp-login.php like normal brute force attacks. They are quietly hitting the xmlrpc.php file with hundreds, if not thousands, of username/password combinations. That’s just not good.
What this fix does not do is stop the POST requests on the server. That would need to be taken care of by your host. It can really pull down the performance of the server when hundreds of requests are coming in.
If you’re not technical or need help implementing this fix, please contact me. If you want to try a plugin, see if this one works (Disable XML-RPC). I haven’t tested this plugin, but heard it still works on the latest version of WordPress.