WordPress powers a significant portion of the web. That popularity also makes it one of the most targeted platforms for automated attacks.
As a WordPress developer, my responsibility isn’t just to build websites—it’s to deliver websites that remain secure, maintainable and sustainable long after deployment.
Since working with WordPress professionally from 2016, I’ve noticed that many security incidents are not caused by complex vulnerabilities. They often begin with simple, preventable attack vectors.
One of the most common examples is brute-force authentication.
Attackers continuously send thousands of username/password combinations until they find valid credentials. Using usernames like admin or weak passwords only makes their job easier.
Some developers try to improve security by hiding the login URL. While that may stop casual bots, it doesn’t stop determined attackers. Even the team behind Wordfence doesn’t recommend relying on hidden login URLs as a security strategy.
Instead, I focus on reducing the available attack surface.
xmlrpc.php is a legacy communication endpoint that allowed external applications to interact with WordPress before the REST API existed.
When the WordPress REST API matured, most modern integrations migrated to it. However, XML-RPC remains enabled by default for backward compatibility.
Unfortunately, attackers still abuse XML-RPC for:
✅ Brute-force authentication attempts (using multicall requests to test many passwords efficiently)
✅ DDoS amplification through the pingback feature
If your website doesn’t depend on XML-RPC, leaving it enabled provides little benefit while increasing your attack surface.
If you’re using Wordfence, you can disable XML-RPC authentication from:
Wordfence → Login Security → Settings → Disable XML-RPC authentication
Or block direct access at the web server level with .htaccess:
# Block WordPress xmlrpc.php requests
<Files "xmlrpc.php">
Require all denied
</Files>There are also several lightweight plugins in the WordPress Plugin Directory that disable XML-RPC completely.

