Header background

Our Blog


XML-RPC Exploit Slowing Thousands of WordPress Websites

An outdated WordPress remote protocol could be slowing down or exposing your website to hackers.

Recently I’ve received a few inquiries regarding slow running WordPress websites. Many things can cause a laggy website and, as a result, they are typically tough to quickly diagnose. The common culprits are bad web hosts, unoptimized images/files on websites, or too many scripts running due to “plugin happy” web designers. The usual suspects didn’t seem to be causing any of the speed issues (at lease no to the degree these sites were experiencing).

As I was investigating these requests, another strange thing happened; I received a bill of $105.00 from MediaTemple for a “GPU Overage”. This bill was a big surprise as MediaTemple is only my $20 a month “Playground Host.” I use it for pet projects and quick tests. I do not keep serious work on this account, so how could I possibly be overusing the allowed GPU’s? Upon a deeper look, I discovered that an old website that contains nothing of use to anyone other than my curious mind four years ago was receiving 25,000 HTTP requests a month.

This website was not a public site and shouldn’t be receiving 25 visits a year, let alone 25,000 a month. How could this be? Was this traffic an attempted DDoS or Brute Force attack? I was already using BruteProtect to help guard my website, and MediaTemple assured me that they had security protocols in place to block DDoS & Brute Force attempts. When I tried to load this website, it was operating at a slugs pace.

Was there a connection between these other active websites and my old “play” website that caused them to run slow and me to receive a bill for using too many server resources?

Enter XML-RPC: An underused and often exploited protocol for WordPress

XML-RPC allows remote connections from 3rd party clients like Windows Live Writer or the iPhone or Android WordPress Apps. These tools while sounding nice in theory, are often never used for maintaining a WordPress website.

The four most common uses for XML-RPC are:

  1. Pingback/Trackbacks – A great source for spam on your WordPress blog. Also used in DDoS Attacks.
  2. Jetpack – A bloated WordPress Plugin that is promising the world and only delivering long page load times.
  3. WordPress Mobile Apps – Made utterly useless due to responsive and the fact that most people do not maintain a WordPress site on their phone.
  4. IFTTT – An automation tool for hooking up cool “IF This, Then That” recipes for things like automatically posting uploaded WordPress photos to Twitter or Facebook. Although this is the best use of XML-RPC in the list, it is not used on most.

Despite the rare use of the above applications, by default a WordPress will leave XML-RPC enabled. Enabling XML-RPC on a site that doesn’t utilize it is sort of like having a doggy door on a home with no pets. Eventually someone crafty or persistent enough is going to find a way to enter the home through this little hole.

Why Should You Be Concerned About the XML-RPC Threat?

In early October, Daniel Cid, over at the security blog, Sucuri wrote an article titled, “Brute Force Amplification Attacks Against WordPress XMLRPC.” In his article, Cid describes how even the most basic of security tools can be used to thwart traditional Brute Force attacks:

“These attacks are often not very complex and are theoretically easy to stop and mitigate, but they still happen and are successful; mostly, because people are very bad at choosing good passwords, or employing good access control habits. There is a catch however, while simple, these Brute Force attacks are noisy. Traditionally, to try 500 different passwords, the attackers would need to attempt 500 different login attempts that would be captured in a 1 to 1 relationship with each request to the serve. By design, this simplifies the mitigation approach, as every single attempt is logged and can be blocked once a certain limit is reached…

What if, the attacker could reduce the noise? What if the attacker could make it so that it’s a 1 to many relationship between each request? Imagine a request that was able to try 500 passwords in one shot.”

Using a feature in XML-RPC called system.multicall, thousands of requests (such as login attempts) can be made to WordPress essentially by-passing any software designed to block Brute Force attacks.

“But My Password is Very Complex, So I’m Safe, Right?”


Remember this article began with concern for website speed and server overuse charges. Even if you’re using the most complex combinations of usernames and passwords to protect access to your website, these types of exploits can still cause you major headaches.

Imagine going to the mall on the dreaded Black Friday. If everyone lines up to enter their favorite store and is allowed in one at a time, then there are no problems, right? Right. Unfortunately, as the Local News shows us every year, this is never the case. What instead happens is that hundreds or thousands of people try to cram into the store doors at the same time causing chaos and preventing others from entering the store. This situation is very similar to what happens to your website when a Bot or Attacker sends tons of requests to your website.

Even if they’re not gaining Administrator access to your site, they can still slow or stop others from accessing your site by “blocking the doors”. This issue turned out to be the issue that causing so much strife on my old pet project and those I’d been recently contracted to help out. As soon as I shut down the unneeded XML-RPC on the sites, HTTP requests died and peace was slowly restored.

Protecting Yourself from XML-RPC Exploits

While all of this may sound scary and complicated, protecting yourself from XML-RPC exploits is a relatively pain-free process (assuming that you’re not using any tools that rely on it). There are three simple solutions to help: a WP plugin, editing your WP functions file or adding rules to .htaccess (the latter two should probably be left up to a developer).

WordPress Security Plugins to guard against XML-RPC Exploits

The easiest way to protect yourself from this exploit as well as other security issues is to use a WP security plugin, like iTheme Security Pro. While tools like this make WordPress security a synch, caution should also be exercised to only touch settings you’re confident in touching. One wrong click and you have the potential to not only lock yourself out but to ban your IP address (a true sign of good security).

Removing XML-RPC in Functions.php

Another simple way to disable XML-RPC is by adding a line of code into your WordPress theme’s function.php.

add_filter('xmlrpc_enabled', '__return_false');

Disabling XML-RPC in .htaccess

Lastly, you also have the option to all xmlrpc.php requests before they even hit your WordPress site.

Just copy the following and paste it into your .htaccess file

# Block xmlrpc.php requests from WordPress
<Files xmlrpc.php>
order deny,allow
deny from all
allow from

Need Help Getting Your Website Up To Speed?

As always, if you need help with speed or any topic related to your website, please reach out and get in touch.

Comments ( 0 )

    Leave A Comment

    Your email address will not be published. Required fields are marked *

    Footer background
    Lacey, WA
    (360) 402-0771

    Drop us a line

    Yay! Message sent. Talk to you soon! Error! Please validate your fields.
    © 2014 AJ Creative. All rights reserved.
    Request a Quote