WordPress XML-RPC flooding

Dear WordPress-User,

maybe you know about XML-RPC, or at least you know about Trackbacks and Pingbacks, as WordPress calls them. And maybe you noticed that you don’t use them at all.

Sadly XML-RPC has a big flaw: you can get attacked; flooded with POST requests to xmlrpc.php, one request every few milliseconds for a few hours. Your page gets slower until your webserver raises the white flag. You’re being DoS’ed.

Do yourself a favor. Block all access to /xmlrpc.php and be happy again. This will cause trouble with some services like the WordPress Smartphone App, but in my situation it’s worth it. I don’t use the App at all and was being attacked multiple times a day.

Most likely your php is processed by Apache. Add this to your .htaccess file to deny access to XML-RPC.

<Files "xmlrpc.php">
    Order Allow,Deny
    deny from all

If your php is processed by nginx, you need to add this to your nginx config:

location = /xmlrpc.php {
    deny all;
    access_log off;
    error_log off;

To test this, simply try to request yoursite.com/xmlrpc.php. You should get a 403 Forbidden.

Note from Future-Timo: WordPress‘ Jetpack seems to use xmlrpc.php for communication. Currently I’m trying to just disable pingback using the following snippet in my functions.php – I’m not completely convinced that this will scare off attack-bots.

function remove_xmlrpc_pingback_ping( $methods ) {
    unset( $methods['pingback.ping'] );
    return $methods;
add_filter( 'xmlrpc_methods', 'remove_xmlrpc_pingback_ping' );

Note from Future-Future-Timo: as I suspected this will not solve the problem. I went back and deactivated XML-RPC completely.