Recently I've been working on WordPress security optimizations and found that the /xmlrpc.php file is often scanned and attempted to be brute-force broken, especially with the use of system.multicall() to initiate a large number of requests at the same time, which is easy to abuse.

?

After searching around, I found quite a few suggestions to block this interface directly, such as using one of the following methods:

• Add in .htaccess:

  <Files xmlrpc.php>
Order Deny, Allow
Deny. from all
</Files>


• Or disable XML-RPC with a security plugin such as Wordfence / All in One WP Security.

However, it's also seen that some plugins (such as Jetpack) rely on it, and disabling it completely may affect functionality.

?

A question for everyone: do you turn this off by default? Ever encountered a brute force attack? Is there a better protection program?

Incidentally, I used the logging tool to see someone make 200+ calls in a row to the system.multicall(), server resources are almost stretched ......

Contact Us
Can't read the tutorial? Contact us for a free answer! Free help for personal, small business sites!	Customer Service
① Tel: 020-2206-9892
② QQ咨詢：1025174874
(iii) E-mail: info@361sale.com
④ Working hours: Monday to Friday, 9:30-18:30, holidays off