WP Assistant
By Atiba

Disable XML-RPC in WordPress to Stop Brute-Force Attacks

This Q&A covers disabling XML-RPC in WordPress to block brute-force login attempts targeting xmlrpc.php. You’ll see two approaches: using a security plugin and adding .htaccess rules. Follow the steps to tighten your site access and test changes safely.

How do I disable XML-RPC to prevent brute-force attacks?

Preventing Brute-Force Attacks by Disabling XML-RPC

XML-RPC lets external systems interact with your WordPress site. Although it offers genuine benefits, it can also be targeted for brute-force logins. Here are two paths you can take to block access to xmlrpc.php and limit unwanted attempts.

1. Use a Security Plugin

  • Install a security plugin. Popular picks include Wordfence, Sucuri Security and iThemes Security.
  • Activate the plugin and open its settings area. Find the option tied to XML-RPC or xmlrpc.php and turn it off.
  • For example, in Wordfence go to Wordfence > Firewall > Brute Force Protection and select the option to disable XML-RPC authentication.

2. Block Access via .htaccess (Advanced)

  • Open the .htaccess file in the root of your WordPress install using FTP or your host’s file manager.
  • Insert this snippet to deny all requests but allow your own IP. Replace xx.xx.xx.xx with your address: 
    <Files xmlrpc.php>
  Order deny,allow
  Deny from all
  Allow from xx.xx.xx.xx
</Files>

Things to Watch

  • Certain plugins like Jetpack depend on XML-RPC. If you block it outright, those features might stop working. In that case use the .htaccess method and whitelist any needed IP ranges.
  • After making changes, test your site thoroughly to confirm that everything still runs as expected.

Need human WordPress help?

WP Assistant is a free tool created by Atiba Software, a WordPress design and development company located in Nashville, TN. If you need more personalized WordPress assistance let us know, and we’ll get back to you ASAP!

Related