Skip to content

XML-RPC Authentication

XML-RPC allows requests formatted in XML to be sent between WordPress and other systems. The XML-RPC endpoint is enabled on new WordPress sites by default since the release of WordPress version 3.5. The XML-RPC endpoint is extremely useful, but is also a common attack vector for WordPress sites. Security reviews for WordPress sites often recommend disabling the XML-RPC endpoint entirely.

On the VIP Platform, multiple security protections are in place to protect a site’s XML-RPC endpoint against unauthorized access and abuse.

  • Rate limiting is in place at the edge (i.e., firewall, NGINX) to protect the XML-RPC endpoint (/xmlrpc.php) and detect and mitigate brute force attempts. If requests from an IP address to a site’s XML-RPC exceed the threshold of 10 requests per 30 seconds, a one-hour block timeout will be enforced for that IP address.
  • The XML-RPC server in WordPress Core code prevents more than one failed authentication attempt per a system.multicall request.
  • For elevated security, new WordPress environments are configured to only allow application passwords for the authentication of requests made to a site’s XML-RPC endpoint. The allowed method of authentication can be updated in the WordPress Security Controls panel in the VIP Dashboard. Additional authentication options can be configured to allow both application passwords and user credentials, or to disable the XML-RPC endpoint entirely.

Limitations

  • Settings in the WordPress Security Controls panel are per-environment. For WordPress multisite environments, different settings cannot be applied per-network site.
  • If the remove_all_filters() function exists in application code, WordPress Security Controls will not work as expected. 

Access

Prerequisite

To access and manage settings for XML-RPC Authentication in the WordPress Security Controls panel, a user must have an App write role for an application or an Org admin role.

To access settings for XML-RPC Authentication in the WordPress Security Controls panel in the VIP Dashboard:

  1. Navigate to the VIP Dashboard for an application.
  2. Select an environment from the dropdown located at the upper left of the dashboard.
  3. Select “Security Controls” from the sidebar navigation at the left of the screen.
  4. Select “WordPress” from the navigation submenu.
  5. Select the accordion module titled “XML-RPC Authentication“.

Configure

In the XML-RPC Authentication module of WordPress Security Controls, configure the authentication method for an environment’s XML-RPC endpoint.

  1. Select one of the authentication method options listed below the label “XML-RPC Authentication Settings“:
    • Elevated Security: Only allow requests from Jetpack. Block all other requests to the XML-RPC endpoint.
    • Default: Requests to the XML-RPC endpoint can only be authenticated with an application password.
    • Baseline: Requests to the XML-RPC endpoint can be authenticated with an application password or with the login credentials of an existing user that does not have 2FA enabled. This mode is less secure than the other options.
  2. If configuring the XML-RPC Authentication module for a production environment, optionally toggle the box labeled “Apply these settings to all environments in this application” to apply the selected authentication method to all of the application’s environments.
  3. Select the button labeled “Save Changes” to apply the updated setting to the environment.

Caution

If XML-RPC is disabled, any services that rely on its availability (other than Jetpack) will no longer work as expected.

XML-RPC and Jetpack

Configurations to disable or restrict access to a site’s XML-RPC endpoint can be made in code, but this method often breaks a site’s connection to Jetpack. By configuring an XML-RPC authentication option within WordPress Security Controls—including the option to disable XML-RPC—a site’s Jetpack connection will maintain functionality.

Important Jetpack features that will continue to work as expected even if XML-RPC is disabled within WordPress Security Controls:

  • Jetpack Search: Jetpack’s Elasticsearch solution increases search result speed and relevancy. If XML-RPC is code-disabled, Elasticsearch will not be reachable. Slow queries that would usually be offloaded to Elasticsearch will instead go directly to MySQL, which can cause performance issues.
  • Uptime monitoring: Jetpack provides uptime monitoring for launched sites as part of VIP’s infrastructure alerting.
  • Jetpack sync: Jetpack features that rely on Jetpack sync functionality include Jetpack StatsJetpack Related Posts, and Jetpack Activity Log.

Last updated: September 02, 2025

Relevant to

  • WordPress