xmlrpc.php – Are you being attacked?

What is an xmlrpc attack?

xmlrpc.php can use system.multicall – this can be used to execute multiple methods inside a single request.

This allows applications to pass multiple commands with one http request, meaning that potential bots and hackers can use the system.multicall method to guess 100’s or 1000’s of passwords with a single http request.
Hackers can attempt 1000’s of password attempts with just a 3-4 http request. These requests bypass security tools designed to block brute force attempts. These requests will have 1 entry per request in the log file.

Quick Links:
Apache .htacccess configuration
Apache .htaccess with wordpress IP
Nginx configuration


NOTE: WordPress, Drupal and most content management systems support XML-RPC.

It can be used with Perl, Java, Python, C, C++, PHP and many other programming languages

Basic apache configuration:

To prevent xmlrpc attacks add the following to a .htaccess. This will deny ALL access to it.

Note: This may break plugins that rely on xmlrpc. This solution is NOT ideal. Keep reading for other potential solutions

<Files "xmlrpc.php">
Order Allow,Deny
deny from all

If you have application , plugins or you are a hosting reseller then you will want to add something similar to the code below. This code allows the wordpress IP range (current IP range, this could change) and denies potential attacks:

Apache .htaccess

<files xmlrpc.php="">
 Order Deny,Allow
 Deny from all
 Allow from
 Satisfy All
 ErrorDocument 403


Deny all through nginx server block:

location = /xmlrpc.php {
deny all;
access_log off; #to prevent from filling up the access log file
error_log off; #to prevent from filling up the error log file


This wordpress plugin does come with xmlrcp.php protection from brute force.
Note: This is SITE specific and will note cover system wide wordpress sites.
Jet pack: https://wordpress.org/plugins/jetpack/