I have recently been having a few issues with bots and malicious attacks trying to breach WordPress websites via brute force attacks. From my experience 90% of the websites, I have built or worked on never utilise the xmlrpc service, which is included with WordPress, due to this I decided to simply block any access to this service via Apache, which fixes a number of security related issues.

Code

Place this in your websites .htaccess file to take effect, then simply browser to domain.com/xmlrpc.php and you now get an access denied message.

What is XMLRPC?

The xmlrpc.php allows remote access to your WordPress site, it allows various tools and publishing applications to control and manage content from outside of the normal WordPress admin. For example, a publishing tool may allow you to write new blog posts using an alternative tool (instead of the WordPress admin).

Do I need it?

If you do not use any tools / services which utilise xmlrpc, then you do not need it and can apply the block in this post. For example, if you use the WordPress app to manage your website from your phone then you will need to keep XMLRPC working.

Why block XMLRPC?

Due to the nature of XMLRPC, it allows remote services to connect and perform actions on your website, this creates an additional security risk, and it is very common for malicious attacks to target XMLRPC with bruite-force attacks, trying to guess your password and / or access other services exposed by the XMLRPC protocol.

This code is provided as it and may require changes to work for your needs.