Security fix guide
HIGH

XML-RPC Enabled

XML-RPC lets attackers run thousands of login attempts at once. Learn how to disable it in two steps.

What is this?

XML-RPC is an old API built into WordPress that let external apps communicate with your site — things like posting from email clients or early mobile apps. WordPress has a modern REST API now, so XML-RPC is largely obsolete. But it's still active by default, and attackers have found creative ways to abuse it. The most common attack uses XML-RPC's "system.multicall" method to bundle up to 200 username/password attempts into a single HTTP request.

Why does it matter?

That bundling trick makes brute-force attacks significantly faster and harder to block with simple rate limiting. A bot can try thousands of passwords per minute via XML-RPC while appearing to make only a few requests. If you're not actively using XML-RPC for something specific (most sites aren't), disabling it costs nothing and eliminates an entire category of attack. The scan result of "fully enabled" means xmlrpc.php is responding to POST requests without restriction.

How to fix it

These steps are written for shared hosting (cPanel, Plesk, or similar). If you have direct server access, see the SSH section below.

1

Option A (no code): Install the free plugin "Disable XML-RPC" from the WordPress plugin directory. Activate it. Done.

Note: This is the easiest method for non-technical users.

2

Option B (via .htaccess): Log in to cPanel → File Manager → public_html → open .htaccess. Add:

<Files xmlrpc.php>
  Require all denied
</Files>
3

Save.

For developers / SSH access
1

Edit .htaccess in your site root:

nano /var/www/html/.htaccess
2

Add the Files block:

<Files xmlrpc.php>
  Require all denied
</Files>
3

Alternatively, block it at the Nginx level inside your server block:

location = /xmlrpc.php {
  deny all;
}

How to verify the fix

Try visiting your-site.com/xmlrpc.php in a browser. A blocked site returns 403 Forbidden or times out. Re-run your scan and check that XML-RPC shows as "pass" or "info" (if the endpoint exists but POST is blocked).

Re-run your scan to confirm this is resolved →

Related issues

Login Page Exposed

Your WordPress login page is publicly accessible. Learn how to protect it from brute-force attacks.

User Enumeration

WordPress is exposing your admin usernames via its REST API. Block it with one code snippet.

← View full security checklist

Prefer to have this handled for you? Get this fixed — Simple ($49)