Did you know your website could be used to attack other websites?

Or, has your website displayed this message:

“Resource Limit Is Reached. The website is temporarily
unable to service your request as it 
resource limit. Please try again later”

Or, worst:

“500 Internal Server Error”


If so, XML-RPC Support or, specifically, your WordPress xmlrpc.php file may very well have been the reason why.

My goal in writing this article is to clarify what XML-RPC protocol is about, share a bit of history, and provide some quick tips for enabling or disabling XML-RPC Support.

Update, August 2014:
The WordPres 3.9.2 security update was intended to minimize the impact of excessive connections to the xmlrpc.php script.

Here’s the rub, XML-RPC Support, a.k.a., remote publishing, was “OFF” by default in versions of WordPress prior to 3.5.  xmlrpc.phpIn December 2012, the WordPress folks, believing they had fixed the XML-RPC security issues from earlier that year, forced the default XML-RPC protocol setting to “ON.” And, for good measure then removed the option to turn it off within the WordPress dashboard. Zoinks!

Then, later in 2013, distributed denial of service attacks using the XML-RPC mechanism was confirmed again by Incapsula, WordPress Default Leaves Millions of Sites Exploitable for DDoS Attacks.

Without going into a long treatise on how or why the XML-RPC protocol can be used and abused, let’s talk about whether you need to leave it “ON” (or OFF!).

If you are not sure what pingbacks or trackbacks are about, there are a lot of great articles written on this subject. I recommend trying a Google search for the phrase, “Why should I care about pingbacks.”


I couldn’t care less about XML-RPC protocol or pingbacks or trackbacks, or Jetpack

If you would prefer to not use plugins and wish to kill the loading of the xmlrpc.php file completely, just add this snippet of text to your .htaccess file:

RewriteRule ^xmlrpc.php$ "" [R=301,L]

This null routing method will use fewer server resources than removing or denying access to the script, which would result in a 404 “file not found” request and additional resources, respectively.


I loves my XML-RPC protocol, pingbacks, and trackbacks, or Jetpack

For those of us who find Jetpack indispensable, and fully disabling xmlrpc.php is not an option, try one of these two options:

Alternatively, disable only pingbacks and trackbacks, while leaving the XML-RPC protocol operational:

  1. Delete the wp-trackback.php file:
  2. Then disallow notifications by going to

And uncheck “Allow link notifications from other blogs (pingbacks and trackbacks)

That should give you back much of the XML-RPC system flavor, without the bad pingback taste.

Alternatively, if Jetpack is your friend (today), instead of denying all access to xmlrpc.php, you can just as easily whitelist the JetPack IP addresses, while denying the rest. This way you’ll retain your Jetpack mojo, while serving up a dead page to begger bots:

<Files xmlrpc.php>
Order Deny,Allow
Deny from all
Allow from
Satisfy All
ErrorDocument 403

 *If, for example, you are publishing updates from your iPhone using your local WiFi connection you would enter in your local Internet connection IP address to allow access. Hint: Google “What is my IP”


And Enjoy!

I’ve posted a few basic article links below. Likewise, if you have questions just pick up the phone and call anytime, Jim Walker, The Hack Repair Guy, (619) 479-6637



HackGuard.com | Managed WordPress Update Service


Please feel free to comment via WordPress, Twitter, or Facebook

Proactive WordPress Security Management for Pennies a Day™
© Copyright 2024 HackGuard.com™, HackRepair.com™,
The Hack Repair Guy™, Hack Repair Guy™
Copyright and Trademark Statement | Privacy Policy

Call HackRepair.com for website security help, (619) 479-6637.
Content Approved By Jim Walker, The Hack Repair Guy