Automatically Block XML-RPC Brute Force Amplification Attacks Against WordPress

By 10th October 2015 April 22nd, 2020 Shield Security
Shield Security plugin for WordPress

Sucuri has released a security advisory notice of a new brute force attack against WordPress XML-RPC.

We’ve released an update to our Shield Security to easily block XML-RPC brute force login attacks.

You wont need to edit your .htaccess or write any code. With our plugin you just turn on an option that uses WordPress to disable XML-RPC login.

Read on to learn more.

How to block brute force login attacks over XML-RPC

Shield Plugin: Disable WordPress XML-RPC

Disable WordPress XML-RPC

This new option is found in v4.12.0 and above. If you haven’t already, please ensure you’re running the latest version of the plugin.

Select ‘Lockdown’ under the Shield Security menu item on the left-hand side to access the option. Then select the tab “Lockdown” and you’ll see the XML-RPC option.

Check the box to turn off XML-RPC and save the options page. You’ll now be protected against any possible XML-RPC brute force login attacks.

How to check and confirm XML-RPC functionality is disabled

There is a very simple website provided to help you confirm that your XML-RPC is disabled.

  1. Go to:
  2. Enter your WordPress site URL in the ‘Address’ field
  3. Click the ‘Check’ button.

You should receive a response page detailing how your XML-RPC server isn’t available.

Implications of disabling the WordPress XML-RPC system

You should be aware of what may be affected by disabling the XML-RPC system on your WordPress sites.

  • Certain JetPack plugin functionality will be impacted
  • The mobile Android/IOS apps will be broken with your site since they run over the XML-RPC system
  • Any other system or plugin that uses your site’s XML-RPC system to communicate and operate your site.

How we turn off the XML-RPC system

For those that would like to know the technical details of how exactly we’re turning off the XML-RPC system on your WordPress site.

As always, we never touch your .htaccess file and instead use the native WordPress filters and action hooks to change site settings.  In this case, we simply use the standard WordPress filter: ‘xmlrpc_enabled‘, using the following code:

add_filter( 'xmlrpc_enabled', '__return_false', 1000 );

There are other ways to turn off XML-RPC, but we feel WordPress compatibility is the most important.

Note: You may already have been protected

Sucuri reports that security plugins aren’t protecting against this problem, but they’re completely wrong. Previous versions of our Shield Security already contained blocks for XML-RPC.

The Login Protection and User Management modules both contain an option to let XML-RPC by-pass their protection mechanisms. This was offered for users who wanted to be compatibile with other services (as outlined above).

If you had removed the by-pass option, you would already be protected today.  This is a perfect example of why you should set as high a level of security as possible when you’re configuring your WordPress sites.

The purpose of the new release today was to make this easier to configure for users who may not have set this before now.

Join the discussion 11 Comments

Leave a Reply

x Logo: ShieldPRO
This Site Is Protected By