Sucuri Security released a public announcement on October 8th regarding a large scale attack which could leave your blog at risk of hackers gaining unauthorized access. To summarize, attackers are taking advantage of a vulnerability in WordPress’s XML-RPC system.multicall method which effectively allows them to issue hundreds of login attempts with a single request. To put it another way, this is an extreme case of brute forcing logins in an attempt to determine your administrative user credentials. Based on the sheer number of attempts an attacker can make for each call, they are 50-100 times more effective than normal brute force attempts.

The first attack was spotted on September 10th, so it’s been in the wild for nearly a month now. Where this becomes problematic is the sheer increase in the number of websites experiencing this attack in the past few days. So the question remains, what can you do about it as a WordPress blog owner?

How can I stop XML-RPC Brute Force Amplification Attacks?

Great question. We wanted to provide a crystal clear answer for users worried about their WordPress blog’s security. There’s three primary variations you can utilize to stop attacks. While this will help mitigate your risk of being hacked, it’s not foolproof. It merely decreases the attacker’s likelihood. You are still prone to a DDoS attack unless you sit behind a CDN or service with DDoS protection.

You’ll note that we removed the previously proposed fix for disabling the system.multicall method via the filter xmlrpc_methods as this did not properly remove the method from the list of available methods (as covered in the comments section below). If your site is using this method, you should use an alternative below.


Stop Attacks with Apache .htaccess

Add the following code to your WordPress base public directory (the one where the main index.php file resides) if you want to disable all access to XML-RPC. This may not be the desired effect you wanted depending on if you have plugins installed.

<files xmlrpc*="">
order deny,allow
deny from all


Stop Attacks by Disabling XML-RPC in wp-config.php

You can chose to update your wp-config.php configuration file and add the following line below the last ABSPATH statement:

add_filter('xmlrpc_enabled', '__return_false');


Friends don’t let friends get hacked. Spread the word!


Caution: Some Popular Plugins use XML-RPC

By disabling XML-RPC, you may risk breaking some popular plugins. If you have any of the plugins listed below, you may want to do a bit more research:

  • WordPress Mobile App
  • JetPack
  • LibSyn (for podcasts)
  • BuddyPress
  • Windows Live Writer
  • Several photo gallery plugins


Got an idea or business and want an online presence while you’re here? Get started today! Whether you’re looking for a free domain, email, and webpage or want something more substantial, POP gets you connected to what you need simply and easily.

Share this post on Tweet about this on TwitterShare on FacebookShare on Google+Share on TumblrShare on LinkedInShare on RedditDigg thisBuffer this page

5 Responses to “Protecting Your WordPress Blog From XML-RPC Brute Force Amplification Attacks”

  1. Leha

    Thank you so much for this. Will definitely share! 🙂

    Do you happen to know a way I can test the function/filter to make sure it’s working right? I want to make sure it’s working in functions.php, and if so, then try it in the Code Snippets plugin instead.

    Thanks again!


    • Corey Ballou

      Hey Leha,

      Based on analysis thanks to a comment from Sam, I recommend removing the functions.php code in favor of one of two other methods as it does not appear to solve the issue. You can check if XML-RPC is enabled on your site with this tool:

  2. Paul

    Hey Corey,

    I just wanted to follow up here on your code you posted about removing the multicall method. When I looked to add protection against this problem to our security plugin, I was going to do something similar, but I found that this didn’t seem to work since that method ‘system.multicall’ is not ever actually passed through the filter.

    Now, I may have missed something in my tests, but after reading this, I retried and tested it but I still meet the same problem. I’m happy to be wrong – can you confirm for me that this is a viable approach?

    Thanks! Please feel free to email me directly to the email I provided…

    • Corey Ballou

      Hey Paul,

      You’re definitely right on this one. The class wp_xmlrpc_server extends IXR_Server. When it serves a request via serve_request() and makes a call to $this->IXR_Server($methods), it first applies the filter $this->methods = apply_filters('xmlrpc_methods', $this->methods); before it merges the WordPress supplied XML-RPC methods with the defaults in IXR_Server (which includes system.multicall). This means there’s no matching method to remove as you indicated. We’ll remove this method as it won’t block the call!

comments are closed