Category Archives: wordfence

Should You Disable XML-RPC on WordPress?

A few questions came up in our recent blog post, where we discuss XML-RPC brute force attacks, about disabling XML-RPC on WordPress. To allay any confusion, we thought we would describe exactly what XML-RPC does and whether you should consider disabling it.

XML-RPC on WordPress is actually an API or “application program interface“. It gives developers who make mobile apps, desktop apps and other services the ability to talk to your WordPress site. The XML-RPC API that WordPress provides gives developers a way to write applications (for you) that can do many of the things that you can do when logged into WordPress via the web interface. These include:

read more

WordPress XML-RPC Brute Force Attacks with multiple logins.

We’ve had a few questions about whether Wordfence protects against a newer form of attack that seems to have received some press coverage recently. A hacker will make multiple login attempts with a single XML-RPC call.

Yes we do protect against brute force via XML-RPC and we have for some time now. We also protect against multiple attempts via a single XML-RPC call. We created a proof-of-concept attack this morning to verify this. We’re not going to share the script because we don’t want to educate the hackers targeting your sites.

read more

WordPress XML-RPC Brute Force Attacks with multiple logins.

We’ve had a few questions about whether Wordfence protects against a newer form of attack that seems to have received some press coverage recently. A hacker will make multiple login attempts with a single XML-RPC call.

Yes we do protect against brute force via XML-RPC and we have for some time now. We also protect against multiple attempts via a single XML-RPC call. We created a proof-of-concept attack this morning to verify this. We’re not going to share the script because we don’t want to educate the hackers targeting your sites.

read more