xmlrpc.php and Pingbacks and Denial of Service Attacks, Oh My!


Did you know your website could be used to attack other websites?

Or, has your website displayed this message:

“Resource Limit Is Reached. The website is temporarily
unable to service your request as it 
resource limit. Please try again later”

Or, worst:

“500 Internal Server Error”


If so, XML-RPC Support or specifically your WordPress xmlrpc.php file may very well have been the reason why.

What is this article about?

My goal in writing this article is to clarify what XML-RPC protocol is about, share a bit of history, and provide some quick tips for enabling or disabling XML-RPC Support.

Update, August 2014:
The WordPres 3.9.2 security update was intended to minimize the impact of excessive connections to the xmlrpc.php script.

Here’s the rub, XML-RPC Support, a.k.a., remote publishing, was “OFF” by default in versions of WordPress prior to 3.5.  xmlrpc.phpIn December 2012, the WordPress folks, believing they had fixed the XML-RPC security issues from earlier that year, forced the default XML-RPC protocol setting to “ON.” And, for good measure then removed the option to turn it off within the WordPress dashboard. Zoinks!

Then, later in 2013, distributed denial of service attacks using the xmlrpc mechanism were confirmed again by Incapsula, WordPress Default Leaves Millions of Sites Exploitable for DDoS Attacks.

Without going into a long treatise on how or why the XML-RPC protocol can be used and abused, let’s talk about whether you need to leave it “ON” (or OFF!).

If you are not sure what pingbacks or trackbacks are about there are lot of great articles written on this subject. I recommend trying a Google search for the phrase, “why should I care about pingbacks.”


I couldn’t care less about XML-RPC protocol or pingbacks or trackbacks, or Jetpack

If you would prefer to not use plugins and wish to kill the loading of the xmlrpc.php file completely, just add this snippet of text to your .htaccess file:

RewriteRule ^xmlrpc.php$ "" [R=301,L]

This null routing method will use less server resources than removing or denying access to the script; which would result in a 404 “file not found” request and additional resources respectively.


I loves my XML-RPC protocol, pingbacks and trackbacks, or Jetpack

For those of us who find Jetpack indispensable, and fully disabling xmlrpc.php is not an option, try one of these two options:

  • Disable XML-RPC plugin. The Disable XML-RPC plugin was written to disable the XML-RPC API, but does not disable the trackbacks and pingbacks required by Jetpack and other mobile applications.
  • Remove XMLRPC Pingback Ping should likewise allow JetPack and WordPress Mobile Applications to operate without error.

Alternately, to disable only pingbacks and trackbacks, while leaving the XML-RPC protocol operational:

  1. Delete the wp-trackback.php file:
  2. Then disallow notifications by going to

And uncheck “Allow link notifications from other blogs (pingbacks and trackbacks)

That should give you back much of the XML-RPC system flavor, without the bad pingback taste.

Alternatively, if Jetpack is your friend (today), instead of denying all access to xmlrpc.php, you can just as easily whitelist the JetPack IP addresses, while denying the rest. This way you’ll retain your Jetpack mojo, while serving up a dead page to begger bots:

<Files xmlrpc.php>
Order Deny,Allow
Deny from all
Allow from
Satisfy All
ErrorDocument 403

 *If, for example, you are publishing updates from your iPhone using your local WiFi connection you would enter in your local Internet connection IP address to allow access. Hint: Google “What is my IP”


And Enjoy!

I’ve posted a few basic article links below. Likewise, if you have questions just pick up the phone and call anytime, Jim Walker, The Hack Repair Guy, (619) 479-6637



HackGuard.com | Managed WordPress Update Service


Please share with your friends:
Tweet about this on TwitterShare on FacebookShare on Google+Pin on PinterestShare on LinkedIn

Please feel free to comment via WordPress, Twitter, Facebook or Google+