HomeSEOWhat Is XML-RPC and...

What Is XML-RPC and How to Stop DDoS Attacks

XML-RPC is actually a remote procedure call protocol that allows anyone to disturb your WordPress website remotely. In other words, anyone like a hacker can manage your website without logging in manually through the standard “wp-login.php” URL page. It’s extensively used by some plugins, most famously by the Jetpack plugin. However, the word “XML-RPC” has a bad reputation. In this tutorial, I will explain WordPress XML-RPC and how to stop the XML-RPC DDoS attacks on your WordPress website.

Now the question is, how to check this problem If you are not already facing this. So you can check if XML-RPC is already Enabled to protect Your WordPress website from DDoS attacks.

A quick way to check if your site is defenseless is to visit the following URL from a browser:

What Is XML-RPC and How to Stop DDoS Attacks on your WordPress website | WordPress Tutorial For Beginners

Type in your browser (replace with your own domain name)

If it is enabled, you will get a response like that “XML-RPC server accepts POST requests only.”

The Dangers and Benefits of XML-RPC

There’s been a lot of back and forth in the WordPress security community about XML-RPC. There are mostly two concerns:

  1. XML-RPC can be used to stop DDoS attacks (Distributed Denial of Service) a site
  2. It can be used to try username/password combinations to access your website frequently.

Here are a few steps and ways to avoid that kind of attack on your website against XML-RPC – starting from the lightest touch to the heaviest.

Check out: How to change WordPress Website’s default Login URL with a Plugin

Method 1: Disable Pingbacks

This is a method that uses your server as an unwitting participant in an attack against another server. In this case, someone tells your site, “this URL is linked to your blog!” And then, your site replies with a “pingback” to that URL.

But there is no proof that the URL actually did link back to you. Do this with hundreds of vulnerable WordPress sites, and you have a DDoS (Distributed Denial of Service)  attacks on your hands! The most simple and easiest method to avoid your site from being used in this manner is to add the following code to your theme’s functions.php:

function stop_pings ($vectors) {
unset( $vectors[''] );
return $vectors;
add_filter( 'xmlrpc_methods', 'stop_pings');

Method 2: Prevent All Authentication Requests via XML-RPC

This second method regulates if you want to allow “XML-RPC” methods that authenticate users. For example, publishing content through e-mail. The site will receive your e-mail, allow you via XML-RPC, and then publish it if the credentials match.

Many people are uncomfortable with XML-RPC’s ability to take in random calls like this. It’s what led to hundreds or thousands of authentication attempts in the first place. WordPress has also addressed this specific hacking method; you can turn it off by using a shortcode in your theme’s functions.php file.


You must know that this is not a similar method as the first I mentioned. This shortcode only restricts the authentication methods and leaves all others untouched, like pingbacks.

Method 3: Disable Access to xmlrpc.php

This method is the most extreme level of blocking that completely restricts all XML-RPC functionality. So you need to edit the “.htaccess” file at the root of your WordPress website directory ( You need to add the following code in the mentioned file.

<files xmlrpc.php>
Order allow, deny
Deny from all

Now with the above denial rules in effect, trying to access xmlrpc.php will be met with the following page:

What Is XML-RPC and How to Stop DDoS Attacks on your WordPress website | WordPress Tutorial For Beginners

That’s all; you have successfully disabled XML-RPC altogether on your WordPress Site.

Most Popular

More Articles

Choosing The Right Images For Your Website Design

When you plan to create your own website, one of the...

Books Begone! How do People Read in 2022

It goes without saying that people consume literature in a completely...

How to Check if a Website is Legit or Trying to Scam You

Banking, shopping, and interacting with businesses have all become a lot...

5 Tips To Improve E-commerce SEO

One of the most critical aspects of an e-commerce site is...

Read Now

Top 6 Digital Marketing Strategies You Must Follow

One of the best digital marketing techniques is word of mouth. Every person has the same intention that if they get positive reviews about a particular service, then they tend to utilize it.In this case, as a digital marketer, you have to take care of your services...

How SEO Services Can Benefit Your Brand In 2023    

Do you want to gain the maximum benefit from SEO services? If yes, you have to follow certain tricks to help you meet your goals within a specific time. Proper schemes can make things work for you in the correct direction.Without appropriate SEO services, your company cannot...

How to calculate Ad Revenue & 7 ways to increase it

Estimating how much revenue a business makes can be tough but leveraging the right tools that accurately estimate publishers' ad earnings makes it a bit easier.Many variables influence your ad revenue, such as the layout of the site, the number of ads, visitor demographics, ad viewability, etc....