This article explains how you can lock down xmlrpc.php
using .htaccess
. However, it might be a better option to protect the xmlrpc-php endpoint instead, filtering out the unwanted traffic.
The WordPress xmlrpc.php
endpoint can be misused as en endpoint for brute force attacks.
If you do not use xmlrpc.php
for any integrations, you might as well disable it completely. Adding these lines to your .htaccess
file will disallow access to the endpoint for everyone.
Edit your public/.htaccess
file and add
<Files xmlrpc.php>
Require all denied
</Files>
Note: xmlrpc.php
is required by some plugins, like Jetpack.
Give us your feedback on this article
By providing us feedback, you can help us provide better content on this topic in the future.
Did this help you?