Game Tech Tutorial
Published in

Game Tech Tutorial

8 Tips to secure WordPress and avoid XML-RPC Attack

In this post, we will provide some tips to protect your WordPress and avoid XML-RPC attacks and explore how to use some open-source solutions and plugins to protect your WordPress.

WordPress is secure but open-source plugins and themes make it become vulnerable to hacker attempts. Anyone can see the source codes of your plugins or themes, so it’s easy to find code vulnerabilities and attack your website by sending a high volume of HTTP requests in a short period of time.

For instance, one can simply make a lot of requests to /xmlrpc.php on your WordPress Host. Your website will be easily attacked by Brute force attacks via XML-RPC.

Unfortunately, setting up a network firewall properly can not save you to solve this problem.

Instead, you need to use a Web Application Firewall to protect WordPress or set up rules on Apache. Because this attack coming from Http on Port 80 or Https on Port on 433 will be bypassed network firewall policies by default.

XML-RPC Attack

XML-RPC on WordPress is actually an API that allows developers who make 3rd party applications and services the ability to interact with your WordPress site.

The XML-RPC API of WordPress provides several functionalities including publishing, editing, deleting a post, uploading a new file, getting a list of comments, edit comments.

I have set up WordPress on Lighsail on AWS to achieve high performance and availability but I found lots of security problems in vulnerable plugins.

Once I made my WordPress public, my WordPress had a high load of CPU utilization.

After checking incoming logs on the firewall, I found the cause of this problem was Brute-Force XML-RPC Attack.

Below will show you some tips to protect your WordPress in a cost-effective way and avoid XML-RPC attacks.

8 Tips to protect WordPress

1. Disable XML-RPC Attack

You can install any WAF to disable XML-RPC Attack or simply set up a policy on Apache at .htaccess as below

# .htaccess
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all

2. Hide the Login URL

Install WPS Hide Login and hide the default login URL of WordPress.

Because there are lots of malicious hackers using tools to find your login page of WordPress and trying to use a Brute-force attack to break the Password with the Admin user account.

You had better change the login URL to a very special and unique string, not easy to guess.

3. Restrict Login Attempts

If a hacker found your login page, he would try to guess the password to break your website.

It’s recommended to restrict the login attempts to as minimal as possible.

If he failed more than 3 times, then block his IP to access.

4. Disable wb-cron.php

This file usually exists under the root of the WordPress site: /wp-cron.php

By default, the wp-cron.php is called on every page load (anytime a client requests any WordPress page), which on high-traffic sites can cause problems (DoS).

Also, a hacked can make a lot of GET requests to /wp-cron.php on your WordPress Host to try invoking some scripts.

To completely remove this potential risk, it is recommended to disable Wp-Cron as below.

vim wp-config.phpdefine('DISABLE_WP_CRON', true);

5. Regularly update and scan plugins and themes

This sounds like a tedious job to regularly check and update your plugins and themes.

But you have to do it anyway. Because most of the vulnerabilities or malware attacks come from depreciated plugins, themes, or WordPress.

You can Install WPS Scan to run a cron job to regularly check your plugins. Once you found any plugins needed to upgrade, update them immediately.

6. Remove Admin User and Strength Password

Don’t forget to remove the default user as admin or administrator on WordPress. This can reduce the risk of being attacked by a Brute-force Attack.

Also, create a new account as the administrator and strength your password, and make it hard to guess.

7. Install and Setup Web Application Firewall

There are tons of Web Application Firewalls over there. But how to choose a Web Application Firewall (WAF)?

We will provide some WAFs that are useful for your reference.

NinjaFirewall (WP Edition) — Advanced Security Plugin and Firewall


  • the free version is very powerful including all the features to protect your WordPress
  • you can easily check access logs


  • settings may be hard for someone who has limited knowledge of security

Wordfence Security — Firewall & Malware Scan


  • fancy admin UI, easy to use
  • cover all the necessary features.
  • access logs are very easy to understand


  • Cannot completely protect XML-RPC Attack
  • Because Wordfence will detect someone is attacking your website and take actions to block his IP. This won’t completely avoid XML-RPC Attack but will take computing power and keep your server’s CPU utilization running in a high load.

Sucuri Security — Auditing, Malware Scanner and Security Hardening


  • fancy admin UI, easy to use
  • cover all the necessary features.


  • you need to pay commercial version to include some important features.

8. Validate WordPress in OWASP ZAP

When you set up the WAF and network firewall properly, you should install OWASP ZAP and run OWAP-10 Attacks on your WordPress.

This can help you to better understand how secure your website is and find problematic plugins or PHP, CSS, JavaScript files. Then you can take actions to fix them.


To make WordPress secure is not hard but time-consuming. You need to regularly check and update plugins and themes.

In addition, it’s required knowledge to set it up WAF properly and to regularly run the pen-testing tool to validate your WordPress.

Of course, you can use 3rd Party service to manage your WordPress or rely on some professionals to maintain it.

Thanks for reading.

You might be interested in



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Eric Wei

Eric Wei


Senior Full Stack Engineer & Solution architecture | AWS, GCP, Azure | Cloud, Unity Game Development, SDK, DevOps, and more.