Protecting your WordPress blog from XML-RPC Attacks on Ubuntu

Many of the hacking attempts on websites nowadays are still done through brute force, that is, by manually trying to break into your account by trying up to hundreds of login details. Brute force attacks are in fact one of the oldest and most common types of attacks that we still see and experience on the Internet today. It can be done via protocols like SSH or FTP, or in the case of a web server, via web-based brute force attempts against the CMS that you are using.

The good news is that most brute force attacks are slow and noisy, which makes them easy to mitigate. Unfortunately, most hackers have caught up to this and some are now using what is called brute force amplification. This is essentially a way to speed up the hacking process significantly, by replacing a 1-to-1 relationship with each request to the server with a 1-to-many relationship, meaning that they could be able to try up to 500 passwords in one shot.

One of the most common brute force amplification attacks are carried out through XML-RPC. WordPress calls upon XML-RPC to remotely execute functions. This same functionality that makes it so popular can also be exploited to send thousands of requests to WordPress in a short amount of time. Such an attack can be recognized  in two ways:

1) If you’re seeing the “Error connecting to database” message when your WordPress site is down
2) If you find too many entries similar to “POST /xmlrpc.php HTTP/1.0” in your web server log


In this tutorial you will learn how to protect WordPress from such attacks in two distinct ways. Follow the steps below:

#1: through the Jetpack plugin

A very useful prevention tool in such scenarios is the Jetpack plugin for WordPress. It can block the XML-RPC multicall method requests with its Protect function.

  • To begin its installation, log into your WordPress control panel and select Plugins->Add New in the left menu.
  • Once you’re found it, click the Install Now button to download, unpack, and install Jetpack.
  • Then click that Activate Plugin link on the page.
  • Finally, click the Connect to button to complete the activation of Jetpack.
  • The Protect function is automatically enabled, You can see it on the Jetpack dashboard that shows the Protect function as being Active.
  • A last, optional step, is to write the IPv4 or IPv6 addresses that you want to white list and click the Save button.

#2: by manually blocking all XML-RPC traffic with Apache

A second, more traditional approach to this scenario is to manually block all the traffic coming through XML-RPC with Apache.

  • First, edit the configuration file with the following command:
    sudo nano /etc/apache2/sites-available/000-default.conf
  • Add these lines below between the <VirtualHost> tags.

    Apache VirtualHost Config
        <files xmlrpc.php>
          order allow,deny
          deny from all



  • Save and close this file when you are finished.
  • Restart the web server to enable the changes by entering this command:

    sudo service apache2 restart


And you’re done! Your WordPress blog is now more secure and able to withstand XML-RPC attacks!


Leave a Reply