Dec 302015

All In One WP Security Plugin Pingback Protection Settings post shows you how to enable and check if xmlrpc is working correctly in your website.

Last Updated: July 22, 2016

Too many keep reporting issues with their website receiving too many lock outs from various IP address. In some cases it might be one IP address that keeps finding a way to try and hack into your website especially the admin login. The first and up-most option you should enable in the plugin is one of the Brute Force features like rename the login page. That will definitely get you well protected to begin the protection process.


However after enabling the above security option some still receive attempted logins and IP lockouts. This is where you would enable the following option in the plugin.

Step 1 ) Go to WP Security -> Firewall -> Basic Firewall Rules, find and enable the following security option. See image below.

  •  Enable Pingback Protection:

Note: Please read carefully the information to learn more about this security option by clicking on More Info link as illustrated in the image below. Read the information before you enable this option.


If the above is enable correctly, when you type the following on your browser.


You should see the following message or something similar depending on how you have set up your website security.

  • 403 forbidden apparently.

If you don’t see any of the above forbidden or error messges and you see the following message XML-RPC server accepts POST requests only, that means that the xmlrpc.php file is still active and working in your website and for some unknown reason enabling the option in the plugin did not right the correct rules in your .htaccess file.

If the above it the case please read on.


Step 2 ) Deactivate the Enable Pingback Protection: option in the plugin save the settings. Log out and then log back in, again activate the Enable Pingback Protection: option and type the following in the browser.

You should see the following message.

  • 403 forbidden apparently.

If the above did not work then carry out the following steps.


Step 3 ) FTP into your website and locate your .htaccess file. Download it locally, open the file with a text editor and locate the following entry. If you don’t see the following code exactly as you see it below then copy and paste or type the following code exactly as you see it into your .htaccess file, save the file and upload it back to the server.

<Files xmlrpc.php>
order deny,allow
deny from all

Type the following in the browser and see what message you receive.

If it is enabled and working correctly you should see the following message.

  • 403 forbidden apparently.

If you followed all of the above then that option is now set up correctly and this should stop anyone trying to access your website via the xmlrpc.php file.

Troubleshooting Steps.

Some times your file permissions might be incorrect. Make sure you check the file permissions in the plugin. If this is the case you might want to clear the .htaccess file and reinstall the plugin, that should write all the rules again. Then carry out the same step to test this as mentioned above.


I hope the above has helped you and you are on your way to a safer and more protected website.

Click on the following link Troubleshooting to continue.

If you have any questions please let me know.


Go Back To All In One WP Security & Firewall Plugin Menu

Manuel Ballesta RuizManuel Ballesta Ruiz is a web developer, Blogger and WordPress Enthusiast.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>