Skip to main content
WordPress Security Guide
Q&AWordPress

Is WordPress XML-RPC a security risk?

Yes, XML-RPC is a significant security risk for WordPress sites. The xmlrpc.php endpoint allows multiple login attempts in a single request through the system.multicall method, enabling efficient brute-force attacks that bypass traditional rate limiting. It can also be exploited for DDoS amplification attacks using the pingback feature. While XML-RPC is needed for certain plugins and the WordPress mobile app, most modern sites can safely disable it in favor of the REST API. Block XML-RPC access through your web server configuration, .htaccess, or a security plugin. UNPWNED checks whether XML-RPC is exposed and accessible on your WordPress site.

Check your WordPress app now

Run free security scan

Last reviewed: 2026-04-07. Based on publicly available security research and UNPWNED scan telemetry.

Related Questions

What are common WordPress vulnerabilities?Does WordPress support rate limiting?

More WordPress Security Questions

Is WordPress secure?What are common WordPress vulnerabilities?How to secure a WordPress site?Does WordPress add security headers?Can WordPress plugins be hacked?Does WordPress expose user information?