How to Protect WordPress from XML-RPC DDos Attack

Hackers can use the XML-RPC function in WordPress for DDoS attacks your site. Here you will learn how to Protect WordPress from XML-RPC DDos Attack. Make your website safe today!

What is RPC?

RPC (Remote Procedure Call) is a small extension to start connections call step between different applications or different machines.

What is XML-RPC?

Essentially it allows you, through the XML-RPC protocol to post, edit and publish pages from a desktop application like BlogDesk, MarsEdit and ScribeFire. In other words, it’s used for remotely publish your content from your desktop. Most users do not need WordPress XML-RPC application, and it’s one of the most popular backdoor causes for attacking.

How to Protect WordPress from XML-RPC DDos Attack

What is DDos attack ?

DDoS (Distributed Denial of Service) is an attempt to make an online website unavailable by crushing it with huge massive traffic from multiple sources.

What is the Best Ways to Protect WordPress from XML-RPC Brute Force Attacks?

There are many ways to block and disable access to XML-RPC as well as pingback and trackbacks, like .httacces and themes function modification or even plugin but i will try to explain it simply by the following 5 steps to prevent any confusing.

  • Disable Pingback Function
  • Remove xmlrpc.php Linkback
  • Disable XML-RPC WordPress Plugin
  • Modify Themes Function
  • Block Access to xmlrpc by .httaccess


#1: How to Disable Pingback in your WordPress Setting?

The first and simple step is disable pingbacks in your WordPress which is enabled by default, just open your site dashboard then go to Settings->Discussion and remove this option “Allow link notifications from other blogs (pingbacks and trackbacks)” then save your changes.


#2: How to Remove xmlrpc.php link back from your header?

Open your site dashboard then go to Appearance->Editor->Header.php then Find and remove this line.


#3: What is the Best Plugin to Disable XML-RPC API Service?

Disable XML-RPC plugin it just simply disables XML-RPC API in WordPress, which is enabled by default.
All you have to do, is just activate it after installation from Plugins->Add New and type “disable xml rpc pingback” in search box (developed By Philip Erb).


#4: Modify Themes function to block access for XML-RPC

If you don’t like to install additional plugin in your site, just add one of the following code at the end of your themes function file functions.php, keep in mind both codes do the same of the Disable XML-RPC plugin.



#5: How to Block Access to XML-RPC by .httaccess Modify?

if you would like to block access to xmlrpc.php file, just add following code at the end of .httaccess file

if you would like to block access for everyone but allowed for your ip, use the following code and replace “11/22/33/44” with your own PC IP.


  • Be smart and fight malicious attacks and don’t surrender.
  • You have to learn daily for how to close all backdoors in your site.
  • You have to be sure 100% of fix after each step completed by testing the results manually.
  • Be ware of .httacces modification file because you may block other useful pages by mistake.

Leave a Reply