Brute Force attacks against any CMS these days is a common occurrence. One of these attackes is XML-RPC attack.

WordPress utilizes XML-RPC to remotely execute functions.

TheĀ attack is being made possible because WordPress allows calls to XML-RPC to be stacked, using system.multicall. This allows the server to be quickly overwhelmed by calls.

More information on this can be found here:

To check if your website is having XML-RPC attack, check the access log of your web server. For apache on Linux, you need to check:


You are under attack if you find entries similar to:

POST /xmlrpc.php HTTP/1.0

To protect your website fromĀ attack, we can do any of the following:

  1. Install Jetpack plugin in your WordPress installation
  2. Manually block all XML-RPC traffic
    For this, on Apache/Linux, add following entries to the file:

        <files xmlrpc.php>
            order allow,deny
            deny from all

    Now, restart your web server and you are good to go.