Protecting Against XMLRPC.PHP Exploits on WordPress Sites


WordPress sites come with an xmlrpc.php file, which tends to be an attack vector. This article describes how to avoid this.


1. Rename the xmlrpc.php file, which is typically found in /var/www/html.

2. Adjust the Apache configuration — /etc/httpd/conf/httpd.conf — to include the following.

If there is a <VirtualHost> section, it should be included there; otherwise, include it after the <Directory> section.

<Files "xmlrpc.php">
  order allow,deny
  deny from all