Blog of Raivo Laanemets

Stories about web development, freelancing and personal computers.

Stopping WordPress XML-RPC attacks with Nginx


WordPress XML-RPC attacks can be used for guessing the admin user password. XML-RPC is an API interface used by some WordPress plugins and tools. An effective way to disable attacks is to disable the whole WordPress API. This solution works well if you do not rely on the plugins and tools using the API.

I'm using Nginx for my WordPress sites. The sites suffered XML-RPC attacks recently. The attacks took down all PHP-FPM processes causing some of the sites to go offline. A solution from this guide to deny requests to xmlrpc.php file did not work for me. The solution uses the following location block rule:

location /xmlrpc.php {
    deny all;

After enabling the rule, I was still able to go to and see the text returned by the code:

XML-RPC server accepts POST requests only.

This happend because the rule does not stop processing and the path is still handled to the PHP-FPM process. The correct rule is:

location = /xmlrpc.php {
    deny all;

With this rule I get the expected result when visiting the file:

403 Forbidden

If your site does not use WordPress comments, also add:

location = /wp-comments-post.php {
    deny all;

to disable comments as well.

And never trust any guide without checking results yourself.


No comments have been added so far.

Email is not displayed anywhere.
URLs (max 3) starting with http:// or https:// can be used. Use @Name to mention someone.