The xmlrpc.php file is active and used for brute force or DDoS amplification attacks.
XML-RPC Enabled and Abused
Key Points: The xmlrpc.php file is active — and bots are using it to slam your server or try logins.
Unless you’re publishing from mobile or using Jetpack, you likely don’t need XML-RPC. But attackers love it: it supports multiple login attempts with one request. Perfect for brute force and pingbacks abuse.
🧨 Signs of Abuse
- High server load without frontend traffic
- Thousands of POST requests to
/xmlrpc.php - Login attempts bypassing regular
wp-login.phpprotections
🛠️ Disable It
- Use a security plugin or .htaccess rule to block access
- Completely disable if not using Jetpack, app login, or remote publishing
- Log and monitor requests via your hosting panel
🚫 Reminder
This endpoint is an outdated relic — unless you need it, kill it with fire.