Protect your WordPress site from xmlrpc.php brute force attack

WordPress hmlrpc.php

If you find a large number of unknown traffic hit your WordPress xmlrpc.php file frequently, you need to be worried, it is the brute force attack to your WordPress site through the xmlrpc.php file. Your Hosting server might be exhausted very soon and you may find “Resource Limit Is Reached” or the 508 error during operating your site.

If you are not familiar with the WordPress file system and core technical stuff lime me, you may search google to know ‘what is xmpl.php file?’ you may do it later, meanwhile, I like to share my understanding on it…

xmlrpc.php file creates a protocol to operate the WordPress site remotely through other devices. In short, the file allows you to connect your site via smartphone, implementing trackbacks and pingbacks from other sites. It was useful in the early days of slow internet, now it is not so useful for us.

But the xmlrpc.php file attracts the hacker, they programme the bot to hit our WordPress xmlrpc.php file continuously. so it better to disable the file from our WordPress site.

Now you may think how do you know, your xmlrpc.php file has been targeted by the hacker?

Yes, I also think that, and I did not find it in my google analytic result. When I faced the  “Resource Limit Is Reached” frequently, I logged into my A2 Hosting CPanel and found OMG!!  CPU usages 99%

Then I go to the visitor tab in CPanel and find that the xmlrpc.php file has been hit more than 1200 times from the same IP Address.

Now the Question is How to disabled it?

How to disable the xmlrpc.php file with plugins? 

When you use WordPress, most of the time a plugin appears to solve your problem or to do your task. In this case, there is a free plugging available in WordPress reparatory, Remove & Disable XML-RPC Pingback.

If you want to disable the file with a plugin, you may do it, Just Install and Activate it. But there is an alternative way to do the task. You have to put a simple code snippet to your .htacess file.

I personally use the code and I like to recommend it to you also.

How to disable the xmlrpc.php file without plugins?

To do the process, you have to log in to your CPanel first, then follow the steps…

  • Find the File Manager and Click on it.
  • Find the folder of your site. Most of the time it is found on the public_html folder
  • Go to the .htaccess file. Sometimes the .htaccess file hidden for security reasons. If it is hidden, then change to the visibility option from the setting.
  • Right Click on it and hit on edit.

Don’t forget to backup the .htaccess file, before start any editing.


Put the follow code after the # END WordPress line

Copy the code from here:

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all

Save the file. Done!! The xmlrpc.php file is now disabled

How do you know the xmlrpc.php file is disabled or not?

To check the status of the xmlrpc.php file, just add the /xmlrpc.php after your domain name and hit enter. (It looks like

If it is disabled then you find 404 page

If it is not disabled then you find a message like :
XML-RPC server accepts POST requests only

Hope this article Helps you.

 Supriya Kanjilal

Supriya Kanjilal

Author and Owner of

Leave a Comment

Your email address will not be published. Required fields are marked *