Physical Address

304 North Cardinal St.
Dorchester Center, MA 02124

Block wordpress xmlrpc requests

If you run a server with multiple sites on it, then you may have issues with WordPress installations. WordPress has a remote admin feature (which allows 3rd party connections to post new articles etc..).

While a greate feature in theory, in practice it is an avenue for attack by bot networks. You will see hundreds/thousands of connections a minute across a multi-domain hosting server (one of our servers has 40 sites on it – nearly all wordpress).

These requests take up resources, even if they do not compromise a site (though, with multiple sites – managed by people of differing technical skills, you may well get some compromised due to age and lack of updating) – to the point where a server cannot perform as well as expected, causing delays or requirements to upgrade hardware before you really should.

If you are running mod-security (if you aren’t perhaps consider it to protect your/your client sites) then you can add the following rule:

#Block requests to xmlrpc.php with no referring URL

SecRule REQUEST_METHOD "POST" "deny,status:401,id:5000900,chain,msg:'xmlrpc.php request blocked, no referer'"

SecRule &HTTP_REFERER "@eq 0" "chain"

SecRule REQUEST_URI "xmlrpc.php"

(adapted from a post on cpanel forums by ‘dalem’ ( )

Once you add this, any requests to xmlrpc, which do not originate from a link/trigger from a website (i.e. no referrer) will be blocked with a 401 (forbidden) message.

If you have a firewall or banning software (such as csf firewall or fail2ban) you can also get these to scan the log-file and ban repeated offenders on this rule.

When might this not be a good idea?

Basically, if you or any customers, use 3rd parties that utilise the xml-rpc functionality, you may not be able to deploy this rule. If you have a fixed IP you could always add in another part of the rule (another SecRule line) which excludes that IP address – but this may be hard to maintain.

%d bloggers like this: