WordPress protection against XML-RPC attack

1 min


XML-RPC attack: Some time ago monitoring showed increased load on the webserver. Traditionally I immediately went to check the log of the Nginx web server for suspicious activity. This activity was immediately noticed as requests to the file xmlrpc.php. I read on the Internet what kind of file it was and decided to forbid access to it since I do not need it.

A sign of increased interest in your website on WordPress will be the following lines in the log file: - - [26 / Oct / 2017: 13: 01: 22 +0300] "POST //xmlrpc.php HTTP / 1.1" 200 16014 "-" "Mozilla / 5.0 (Windows NT 10.0; Win64; x64) AppleWebKit /537.36 (KHTML, like Gecko) Chrome / 61.0.3163.100 Safari / 537.36 "" - "

For example, we will assume that the webserver is configured for the article – setting up the webserver nginx, PHP-fpm, php7 on CentOS 7. There is such a rule at the end of the enumeration of locations in nginx:

location ~ /\.ht {
 deny all;

We change it by adding the xmlrpc.php file lock and putting it on the list as the very first location.

location ~ * ^ / (\. ht | xmlrpc \ .php) $ {
 return 404;

Reread the nginx config:

# nginx -s reload

Check if the file xmlrpc.php actually works. To do this, first just follow the link, in my case such – https://cmsdaddy.com/xmlrpc.php We checked the GET request. To check the POST request, enter the following in the browser’s address bar:

data: text / html, <form action = https: //sprin.cloud/xmlrpc.php method = post> <input name = a> </ form>


In the form that appears, enter any value and press Enter on the keyboard.

Check the log file.

# cat ssl-access.log | grep - - [18 / Dec / 2017: 15: 35: 07 +0300] "GET /xmlrpc.php HTTP / 2.0" 404 201 "-" "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv: 57.0) Gecko / 20100101 Firefox / 57.0 "" 1.30 " - - [18 / Dec / 2017: 15: 41: 44 +0300] "POST /xmlrpc.php HTTP / 2.0" 404 201 "-" "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv: 57.0) Gecko / 20100101 Firefox / 57.0 "" 1.30 "

All right, the webserver issues an error 404. Closed access to the file xmlrpc.php, through which you can brute up accounting, or look for XML-RPC or any other vulnerabilities.

Like it? Share with your friends!

What's Your Reaction?

cute cute
lol lol
love love
scary scary
hate hate
geeky geeky
omg omg

Hello Guys, Here we write about ultimate guides about content management system (CMS) and other software such as WordPress, Joomla, Drupal, Oxwall, Skadate, Prestashop, Magento, CSS, HTML, Linux, CentOS, Ubuntu, Windows, macOS, Android, iOS, iPadOS, etc...


Your email address will not be published. Required fields are marked *

Choose A Format
Formatted Text with Embeds and Visuals
Voting to make decisions or determine opinions
The Classic Internet Listicles
Personality quiz
Series of questions that intends to reveal something about the personality
Trivia quiz
Series of questions with right and wrong answers that intends to check knowledge
Ranked List
Upvote or downvote to decide the best list item
Open List
Submit your own item and vote up for the best submission
The Classic Internet Countdowns
Youtube and Vimeo Embeds