Start Free

Block xmlrpc.php Attacks on WordPress — One Rule, Full Protection

WordPress xmlrpc.php is a legacy endpoint exploited for brute force amplification, DDoS via pingback abuse, SSRF, and credential stuffing. PowerWAF blocks every malicious xmlrpc.php request at the edge — no plugins, no .htaccess rules, no code changes.

Start with a Free Plan See How It Works

Limited free plan spots available

OWASP A05:2021

xmlrpc.php: WordPress's Most Dangerous Legacy Endpoint

WordPress ships with xmlrpc.php enabled by default. Originally designed for remote publishing, pingbacks, and third-party app communication, this endpoint is rarely needed on modern WordPress sites. The REST API has replaced its legitimate uses — but xmlrpc.php remains active and exposed on millions of sites, providing attackers with a powerful entry point that bypasses most WordPress security plugins.

86% of WordPress sites have xmlrpc.php enabled and publicly accessible, despite never using it

The system.multicall method lets attackers test hundreds of credentials in a single request. The pingback.ping method turns your site into a node in a DDoS botnet. Blocking xmlrpc.php at the server level requires .htaccess edits or plugin configuration that can break during updates. PowerWAF blocks it at the edge — before the request reaches your server.

OWASP A05:2021 CWE-16 (Configuration) CWE-307 (Brute Force)

How Attackers Exploit xmlrpc.php

Five attack vectors through a single WordPress endpoint — all bypassing traditional login protection.

💣

system.multicall Brute Force

Attackers use system.multicall to bundle hundreds of wp.getUsersBlogs authentication attempts into a single HTTP request, bypassing rate limiting entirely.

<methodCall><methodName>system.multicall</methodName> <params><param><value><array><data> <value><struct> <member><name>methodName</name> <value>wp.getUsersBlogs</value></member> <member><name>params</name> <value><array><data> <value>admin</value> <value>password123</value> </data></array></value></member> </struct></value> </data></array></value></param></params> </methodCall>
🌊

DDoS via Pingback

The pingback.ping method turns WordPress sites into unwitting DDoS amplifiers. Attackers send pingback requests to thousands of sites, all targeting a single victim URL.

<methodCall> <methodName>pingback.ping</methodName> <params> <param><value>https://attacker.com/post</value></param> <param><value>https://victim-site.com/</value></param> </params> </methodCall>
🕸️

SSRF through XML-RPC

The pingback method forces the WordPress server to make HTTP requests to arbitrary URLs, enabling Server-Side Request Forgery to scan internal networks and access internal services.

<methodCall> <methodName>pingback.ping</methodName> <params> <param><value>https://attacker.com/</value></param> <param><value>http://192.168.1.1:8080/admin</value></param> </params> </methodCall>
🔑

Credential Brute Force

Direct authentication calls via wp.getUsersBlogs or wp.getUsers bypass wp-login.php entirely, evading CAPTCHA, two-factor, and login lockout plugins.

<methodCall> <methodName>wp.getUsersBlogs</methodName> <params> <param><value>admin</value></param> <param><value>P@ssw0rd!</value></param> </params> </methodCall>
🔍

Internal Port Scanning

By analyzing response times and error codes from pingback requests, attackers can map internal network services and open ports behind the firewall.

<methodCall> <methodName>pingback.ping</methodName> <params> <param><value>https://attacker.com/</value></param> <param><value>http://127.0.0.1:3306/</value></param> </params> </methodCall>

How PowerWAF Stops xmlrpc.php Abuse

Edge-level protection that eliminates xmlrpc.php as an attack vector — without breaking legitimate functionality.

🚫

Complete xmlrpc Blocking

Block all requests to /xmlrpc.php at the edge with a single rule. Requests never reach your WordPress server, eliminating the entire attack surface instantly.

Eliminates 100% of xmlrpc.php attacks
🔬

Selective Method Filtering

If your site uses XML-RPC for legitimate purposes, PowerWAF can block only dangerous methods like system.multicall and pingback.ping while allowing safe operations through.

Blocks dangerous methods, allows safe ones
⏱️

Rate Limiting

Enforce strict rate limits on xmlrpc.php requests to prevent brute force amplification. Even if individual requests slip through, attackers cannot achieve the volume needed for credential stuffing.

Limits request frequency per IP
🤖

Bot Detection

Identify and block automated tools, scripts, and botnets targeting xmlrpc.php. Legitimate users and applications are distinguished from attack traffic using behavioral analysis.

Stops automated attack tools
🛡️

Virtual Patching

Known CVEs targeting WordPress XML-RPC are blocked with virtual patches. Protection is active immediately when new vulnerabilities are disclosed — no WordPress updates required.

Instant protection for new CVEs

Block xmlrpc.php in Three Steps

No .htaccess edits. No plugins to install. No server restarts.

1

Point DNS

Update your DNS records to route traffic through PowerWAF. Your WordPress server stays exactly as it is.

2

Enable xmlrpc Protection

Activate the xmlrpc.php blocking rule from your PowerWAF dashboard. Choose full block or selective method filtering.

3

Monitor & Verify

Watch blocked xmlrpc.php attacks in real time. Review logs to confirm legitimate traffic is unaffected.

Works with any WordPress hosting: shared, VPS, dedicated, or managed WordPress providers.

See PowerWAF in Action

Real-time view of xmlrpc.php attacks being detected and blocked at the edge.

powerwaf-access-log — live
14:22:01 BLOCKED 198.51.100.87 POST /xmlrpc.php → system.multicall brute force (500 credentials)
14:22:02 BLOCKED 198.51.100.23 POST /xmlrpc.php → pingback.ping DDoS amplification
14:22:03 ALLOWED 203.0.113.50 GET /wp-admin/ → Authenticated admin access
14:22:04 BLOCKED 203.0.113.42 POST /xmlrpc.php → wp.getUsersBlogs credential brute force
14:22:05 BLOCKED 198.51.100.87 POST /xmlrpc.php → pingback.ping SSRF to 192.168.1.0/24
14:22:06 ALLOWED 198.51.100.12 POST /wp-login.php → Legitimate admin login
14:22:07 BLOCKED 198.51.100.23 POST /xmlrpc.php → system.multicall with wp.getUsers enumeration
14:22:08 BLOCKED 203.0.113.42 POST /xmlrpc.php → pingback.ping port scan on 127.0.0.1
14:22:09 ALLOWED 203.0.113.50 GET /wp-json/wp/v2/posts → Legitimate REST API request
14:22:10 BLOCKED 198.51.100.87 POST /xmlrpc.php → system.multicall brute force (1,000 credentials)

Simulated log showing how PowerWAF blocks xmlrpc.php attacks while allowing legitimate WordPress traffic through.

Proven Protection at Scale

< 5 min Average setup time — DNS change only
0 WordPress plugins or .htaccess edits required
24/7 Real-time monitoring and automatic blocking

Real-World Scenarios

WordPress Blog Under Brute Force Attack

A popular WordPress blog receives thousands of system.multicall requests per hour, each containing hundreds of password attempts. Login lockout plugins are useless because the attacks bypass wp-login.php entirely. PowerWAF blocks every xmlrpc.php request at the edge, stopping the brute force before it reaches the server.

WordPress Site Used as DDoS Amplifier

An attacker discovers xmlrpc.php is enabled and begins sending pingback requests to flood a third-party victim. The site owner has no idea their server is participating in a DDoS attack. PowerWAF blocks all pingback abuse, preventing the site from being weaponized.

Agency Managing 50+ WordPress Sites

A web agency needs to disable xmlrpc.php across dozens of WordPress installations on different hosts. Editing .htaccess or installing plugins on each site is time-consuming and error-prone. PowerWAF provides centralized xmlrpc.php blocking for all sites from a single dashboard.

Works with any WordPress setup

WordPress.org
WooCommerce
WordPress Multisite
Jetpack
cPanel Hosting
Managed WordPress
Nginx Servers
Apache Servers
Docker / Kubernetes
Any WordPress Host

Frequently Asked Questions

What is xmlrpc.php in WordPress?
xmlrpc.php is a WordPress core file that enables remote communication using the XML-RPC protocol. It was originally designed for features like remote publishing, pingbacks, and trackbacks. However, most modern WordPress sites use the REST API instead, making xmlrpc.php an unnecessary attack surface that should be blocked.
Why is xmlrpc.php dangerous?
xmlrpc.php exposes several dangerous methods. The system.multicall method allows attackers to test hundreds of passwords in a single HTTP request, bypassing rate limiting. The pingback.ping method can be abused for DDoS amplification and SSRF attacks. Because xmlrpc.php bypasses wp-login.php, traditional login protection plugins do not block these attacks.
How does PowerWAF block xmlrpc.php attacks?
PowerWAF operates as a reverse proxy in front of your WordPress site. It inspects all requests to xmlrpc.php and can block them entirely, filter specific XML-RPC methods like system.multicall and pingback.ping, or apply rate limiting. No WordPress plugin installation or server configuration changes are needed.
Will blocking xmlrpc.php break my WordPress site?
For the vast majority of WordPress sites, no. Most modern WordPress features use the REST API instead of XML-RPC. The only features that may be affected are the legacy WordPress mobile app (older versions), Jetpack (older configurations), and pingbacks/trackbacks. PowerWAF can selectively block dangerous methods while allowing safe ones if needed.
Can attackers brute force passwords through xmlrpc.php?
Yes, and it is far more efficient than brute forcing through wp-login.php. Using the system.multicall method, an attacker can test hundreds or even thousands of username/password combinations in a single HTTP request. This bypasses most login rate limiting, account lockout plugins, and CAPTCHA protections because they only monitor wp-login.php.
What is a pingback DDoS attack?
In a pingback DDoS attack, the attacker sends XML-RPC pingback requests to thousands of WordPress sites with xmlrpc.php enabled, pointing them all at a single target URL. Each WordPress site then makes an HTTP request to the target, creating a distributed denial-of-service attack. The WordPress sites unknowingly become part of the botnet.
Do I need to install a WordPress plugin to block xmlrpc.php?
No. PowerWAF operates as an external reverse proxy — you simply update your DNS records to route traffic through PowerWAF. Unlike WordPress security plugins that run inside PHP, PowerWAF blocks malicious xmlrpc.php requests at the edge before they reach your server. No plugin installation, no .htaccess edits, no PHP overhead.

Explore More WAF Protection

PowerWAF covers the full OWASP Top 10. Explore protection for other WordPress attack vectors.

WordPress Login Brute Force Protection

Block brute force attacks on wp-login.php with rate limiting and bot detection.

WordPress XSS Protection

Protect your WordPress site from Cross-Site Scripting attacks through plugins, themes, and comments.

SQL Injection Protection

Block SQL Injection attacks across all your web applications in real time.

Block xmlrpc.php Attacks Today

No credit card required. No plugins to install. Set up in under 5 minutes.

Start with a Free Plan See Prices

Limited free plan spots available