wordpress · Check
WordPress XML-RPC enabled — disabling /xmlrpc.php
GET `/xmlrpc.php` returned the WordPress XML-RPC "accepts POST requests only" message, confirming the endpoint is live. XML-RPC is routinely abused for brute-force amplification (`system.multicall` lets attackers try hundreds of passwords per request) and pingback-based DDoS reflection.
Why it matters
Modern WordPress sites rarely need XML-RPC — the REST API has replaced it for most integrations. Disabling it removes a high-impact attack surface with negligible operational cost.
Real-world risk
XML-RPC supports system.multicall, which lets attackers try hundreds of passwords per single request — a brute-force amplifier — and pingback methods that reflect attacks at third-party sites for DDoS.
Fix steps (in order)
- If no integration needs it, disable XML-RPC entirely: filter('xmlrpc_enabled', '__return_false');
- Block /xmlrpc.php at the webserver, CDN, or via a security plugin (Wordfence, iThemes Security).
- If a specific integration needs XML-RPC, restrict access by source IP rather than leaving it open.
- Verify with: curl -s https://your-site/xmlrpc.php (should return 403 / 404 / 405).
Verify the fix in 30 seconds
Run a Scorifya scan on the affected host after deploy. The same finding id (wp_xmlrpc_enabled) clears once the externally-observable signal is in place.