How to Fix XML-RPC Attacks and Disable It in cPanel
Posted about 4 months ago 4.5kXML-RPC Attack Risks
High risk: Brute force and DDoS via xmlrpc.php in WordPress.
Check for Attacks
cPanel → Metrics → Errors → Search for repeated POST to xmlrpc.php.
Disable via .htaccess
# Block xmlrpc.php
<Files xmlrpc.php>
Order Allow,Deny
Deny from all
</Files>Alternative Disable Methods
Use Plugin
Install 'Disable XML-RPC' or 'Manage XML-RPC' plugin.
Block with ModSecurity
Add custom rule to block POST requests to xmlrpc.php.
Safe to Disable? Table
| Feature | Needs XML-RPC | Alternative |
|---|---|---|
| Jetpack | Yes (older) | Use Jetpack without XML-RPC |
| Mobile app | Yes | Works with REST API |
| Pingbacks | Yes | Disable in settings |
| Most modern plugins | No | Use REST API |