Skip to content

WordPress security on VIP

Multiple layers of security are in place to protect WordPress applications:

Site access

WP Cron, XML-RPC, and login endpoints

VIP has multiple security protections in place to protect against unauthorized access and abuse of the WP Cron (/wp-cron.php), login (/wp-login.php), and XML-RPC (/xmlrpc.php) endpoints.

  • At the network level, dynamic security protocols are in place that can be triggered by unusual behavioral patterns. An automated attack would trigger VIP’s dynamic security measures, and login attempts would be completely blocked.
  • The functionality of WordPress Core’s /wp-cron.php is disabled on WordPress VIP. Cron control on WPVIP is initiated and regulated by Automattic’s Cron Control plugin.
  • Brute force attempts on /wp-login.php and /xmlrpc.php are detected and mitigated at the edge (i.e., firewall, NGINX). Attempts to obfuscate the URL of the WordPress login page by altering the URL—via a plugin or otherwise—will remove VIP’s brute force login protections from the login URL.
  • Access to the /xmlrpc.php endpoint is restricted to authorized requests only.
  • The XML-RPC server in WordPress Core code prevents more than one failed authentication attempt per a system.multicall request.

Last updated: May 14, 2025

Relevant to

  • WordPress