Notice: Trying to access array offset on value of type bool in /home/bestouk/public_html/CMS/Scripts/PageViewCounter.php on line 77
WordPress hosting - XML-RPC attacks

WordPress XML-RPC brute force attacks

Published on 5th December 2015

Recently, a new brute force attack method for WordPress was identified by Sucuri. This new technique allows attackers to try a very large number of WordPress username and password login combinations in a very short time.

According to security firm Sucuri, hackers are taking advantage of the fact that the XML-RPC protocol, which is supported by WordPress and several other popular content management systems, allows users to execute multiple methods within a single request by using the "system.multicall" method.

In simple terms this means that, instead of having to submit one password at a time until the correct one is found, hackers can now potentially submit 100s' of passwords in one go, increasing their chances of finding the correct one. This means that a weak username / password combination into your WordPress admin area can potentially be cracked in minutes instead of hours or days.

The best way to stop the attacks is to disable access to the xmlrpc.php file and this will be fine for most WordPress installation. Unfortunately, this can prevent some plugins, such as the popular Jetpack plugin, from working properly. It will also make it impossible for you to use a mobile app or remote connections to publish to your WordPress site.

So, what do we advise?

  • Your username and password should be at least 10 characters long and made-up of a random mix of numbers, upper and lowercase letters with one or two special characters.
  • Always make sure you are using the very latest version of WordPress.
  • If you do not use the Jetpack plugin and do not publish to your site using a remote app, disable XML-RPC in your WordPress installation. This can be done by using the Disable XML-RPC plugin or by adding the following code to your .htacces file:

    # BEGIN protect xmlrpc.php
    Redirect 403 /xmlrpc.php
    ErrorDocument 403 " "
  • Consider using a plugin such as Wordfence which will add to the protection of your WordPress installation. Wordfence doesn't stop this particular issue but can help to make your site more secure.

If you are interested in reading more about the XML-RPC vulnerability, you can have a look at the article published by Sucuri at


View all blog posts

Shorter is better!

The new .uk domains are now available.

Register yours now

Our Content Management System (CMS) is a flexible and efficient way to manage your site...

Find out more

Website management tools:

Content Management System | CMS

An easy-to-use application that allows you to fully manage your website's content.

More info...

Email marketing

Communicate better, use this tool to build stronger relationships with your contacts.

More info...

This website is using cookies, click here for more info.

That's Fine