Hi, do you have the following Enable Pingback Protection: enabled? This is located under Firewall -> Basic Firewall Rules. If you don’t have it enabled can you enable this feature.
Thank-you for your reply.
I have enabled this option.
However what impact with disabling XML-RPC functionality have on my website ?
I don’t use jet-pack, will other plugins or functions be impacted ?
Thank-you
Please read the following to further understand what XML-RPC is and or allows on your site.
According to Wikipedia, XML-RPC is a remote procedure call which uses XML to encode its calls and HTTP as a transport mechanism. In short, it is a system that allows you to post on your WordPress blog using popular weblog clients like Windows Live Writer. It is also needed if you are using the WordPress mobile app. It is also needed if you want to make connections to services like IFTTT.
If you want to access and publish to your blog remotely, then you need XML-RPC enabled.
Thank-you sir, I don’t do any of those functions. Since I have disabled the XML-RPC functionality, all lockdown events emails have stopped.
I run 4 different WordPress websites and would receive 30 + emails on lockdown events.
To be honest I had no clue that all these attempts where happening.
Thank-you again for such a great plugin.
Sorry to jump in here, but I have a question regarding this very topic. I cannot completely disable XML-RPC since I am using Jetpack, so I appreciate that WP Security’s lockout feature works against these attempts.
My question is, can a user actually log in via this XML-RPC route?
Or can they just test username/password combinations to see if they exist? Then they would still have to get to my login page to enter those credentials in order to actually log in. And of course my login page is protected by one of WP Security’s brute force protection features.
I have only had one of these attempts on one site and my WP Security locked them out. I think it helps at least a bit to have your WordPress installation in a subdirectory. Most “hackers” just look for “example.com/xmlrpc.php” and don’t appear to be ambitious enough to check for a possible subdirectory installation (e.g., “example.com/wordpress/xmlrpc.php”).
@jjbte if you have one of the Brute Force features enabled, they will not be able to log into WordPress using the normal login path i.e. wp-admin and wp-login. But enabling XML-RPC provides the hackers an option to try an exploit this entry and try to log into your site and or maybe do other damage. If you search in Google about this security issue you will find plenty of information about why many website owners and developers have decided to block this feature in their websites.
Kind regards
Since the issue has been resolved I am also marking this thread as resolved.
Thank you
