Dec 302015

All In One WP Security Plugin Pingback Protection Settings post shows you how to enable and check if xmlrpc.php file is working correctly in your website.

Last Updated: April 25, 2019

Latest News: I updated a link in the end of the documentation.

Too many keep reporting issues with their website receiving too many lock outs from various IP address. In some cases it might be one IP address that keeps finding a way to try and hack into your website especially the admin login. The first and up-most option you should enable in the plugin is one of the Brute Force features like rename the login page. That will definitely get you well protected to begin the protection process.

However after enabling the above security option some still receive attempted logins and IP lockouts. They might be targeting the following file xmlrpc.php. This file can be found in the WordPress root directory of your website installation. Enabling one of the following features will help you even further.

Step 1 ) Go to WP Security -> Firewall -> Basic Firewall Rules, find and enable the following security option. See image below.

  • Completely Block Access To XMLRPC:
  • Disable Pinback Functionality From XMLRPC:

Note: Please read carefully the information to learn more about these two security options by clicking on More Info link as illustrated in the image below. Read the information carefully before you enable this option.


When you enable the following Complete Block Access To XMLRPC: you will see the following message appear in the plugin back end. When you enable this feature you are blocking acces to the following file xmlrpc.php. This file can be found in the WordPress root directory of you website installation.

(Attention: You have enabled the “Completely Block Access To XMLRPC” checkbox which means all XMLRPC functionality will be blocked.
By leaving this feature enabled you will prevent Jetpack or WordPress iOS or other apps which need XMLRPC from working correctly on your site.
If you still need XMLRPC then uncheck the “Completely Block Access To XMLRPC” checkbox and enable only the “Disable Pingback Functionality From XMLRPC” checkbox. )

Note: Some users report login attempts Brute Force Attacks in their website. If you only log in through your website then enable this feature Completely Block Access To XMLRPC:.

If you enable Completely Block Access To XMLRPC: and if it is working correctly in your site, when you type the following on the browser.


You should see the following message or something similar depending on how you have set up your website security.

  • 403 forbidden apparently.

If you don’t see the above forbidden or an error message and you see the following message XML-RPC server accepts POST requests only, that means that the xmlrpc.php file is still active and working in your website and for some unknown reason it did not write the correct rules in your .htaccess file.

Note: The above does not apply if you enable the following option Disable Pinback Functionality From XMLRPC:.

If you experience the above please read on.


Troubleshooting XMLRPC

Troubleshooting step 1 ) Disable the following option Completely Block Access To XMLRPC: and save the settings. Log out and then log back in, again activate the Completely Block Access To XMLRPC: option and type the following in the browser.

You should see the following message.

  • 403 forbidden apparently.

If the above did not work then carry out the following steps.


Troubleshooting step 2 ) FTP into your website and locate your .htaccess file. Download it locally, open the file with a text editor and locate the following entry. If you don’t see the following code exactly as you see it below then copy and paste or type the following code exactly as you see it into your .htaccess file, save the file and upload it back to the server.

<Files xmlrpc.php>
order deny,allow
deny from all

Type the following in the browser and see what message you receive.

If it is enabled and working correctly you should see the following message.

  • 403 forbidden apparently.

If you followed all of the above then that option is now set up correctly and this should stop anyone trying to access your website via the xmlrpc.php file.


Troubleshooting step 3 ) Some times your file permissions might be incorrect. Make sure you check the file permissions in the plugin. If this is the case you might want to clear the .htaccess file and reinstall the plugin, that should write all the rules again. Then carry out the same step to test this as mentioned above.


I hope the above has helped you and you are on your way to a safer and more protected website.

Click on the following link Troubleshooting to continue.

If you have any questions please let me know.


All In One WP Security & Firewall Plugin Tutorial List

Manuel Ballesta Ruiz is a web developer, Blogger and WordPress Enthusiast.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>