Skip to main content
Last Reviewed: May 16, 2022

Avoid XML-RPC Attacks

Learn how to avoid XML-RPC attacks.

This section provides information on how to avoid XML-RPC attacks.

The /xmlrpc.php script is a potential security risk for WordPress sites. It can be used by bad actors to brute force administrative usernames and passwords. You can surface this by reviewing your Live environment's nginx-access.log. The example below is from a site that uses GoAccess.

2 - Top requests (URLs)                                  Total: 366/254431

Hits Vis.     %   Bandwidth Avg. T.S. Cum. T.S. Max. T.S. Data
---- ---- ----- ----------- --------- --------- --------- ----
2026   48 0.77%   34.15 KiB   1.27  s  42.74 mn  38.01  s /xmlrpc.php
566   225 0.21%   12.81 MiB   4.08  s  38.45 mn  59.61  s /
262    79 0.10%  993.71 KiB   2.32  s  10.14 mn  59.03  s /wp-login.php

Pantheon recommends that you disable XML-RPC. The WordPress Rest API is a stronger and more secure method for interacting with WordPress via external services.

Pantheon blocked requests to xmlrpc.php by default in the WordPress 5.4.2 core release. You can block xmlrpc.php attacks by applying upstream updates if your version of WordPress is older than 5.4.2.

Enable XML-RPC via Pantheon.yml


XML-RPC is not recommended on the Pantheon platform. Pantheon does not support XML-RPC if it is enabled.

You can re-enable access to XML-RPC for tools and plugins that require it, such as Jetpack or the WordPress mobile app.

  1. Modify your site's pantheon.yml file to allow access to the xmlrpc.php path:

    protected_web_paths_override: true
      - /private
      - /wp-content/uploads/private

    This will maintain the normal security settings for other paths, but allows access for XMLRPC. Follow the remaining steps below to block all requests to the xmlrpc.php file EXCEPT those added to your IP address allowlist.

  2. Add Jetpack IP addresses to the is_from_trusted_ip function of your wp-config.php file.

  3. Add /xmlrpc.php to your disallow_uri array, for example:

    $disallow_uri = array(

    The reference code demonstrates IP based restrictions in context of locking down admin paths (like /wp-admin/ and /wp-login.php). While locking down admin paths is a best practice, it may not fit all site use cases and it is not required in order to solve this specific Jetpack issue. If you opt to keep admin paths in the $disallow_uri array you will need to add IP addresses for yourself and every site administrator to the $trusted_ips array in addition to the Jetpack IPs added in the previous step.

Disable XML-RPC via a Custom Plugin

This method allows you to use a custom plugin to toggle between activated and deactivated states without deploying code. This plugin blocks exploitable XMLRPC methods previously available via POST requests.

  1. Set the connection mode to SFTP for the Dev or target Multidev environment via the Pantheon Dashboard or with Terminus:

    terminus connection:set <site>.<env> sftp
  2. Use Terminus and WP-CLI's scaffold plugin command to create a new custom plugin.

    In the following example, replace my-site with your Pantheon site name, and disable-xmlrpc with your preferred name for this new plugin:

    terminus wp -- scaffold plugin disable-xmlrpc
  3. Add the following lines to the main PHP plugin file:

    # Disable /xmlrpc.php
    add_filter('xmlrpc_methods', function () {
      return [];
    }, PHP_INT_MAX);

    If your site uses a nested web root directory, you must include that directory in the path. For example, if your nested web root is /wp, use /wp/xmlrpc.php instead of /xmlrpc.php.

  4. Activate the new plugin from within the WordPress admin dashboard, or via Terminus and WP-CLI:

    terminus wp -- plugin activate disable-xmlrpc
  5. Commit and deploy your code changes.

  6. Activate the plugin on your Test and Live environments.

More Resources