Make your WordPress faster – lock and block XMLRPC attacks


There are plenty of reasons why your WordPress website works slowly. And there are also plenty of solutions for them.

Sometimes although we do everything right with using right plugins, theme, configuring cache etc., there is still slow response. Personally i met such situations 10-s times in clients’ websites.  Everything seems to correct, but performance is very slow.

If that website is in dedicated or VPS server, it is easy to find the real reason. We do server monitoring, and after few hours monitoring data tells us what the problem is.

But the client’s website is in shared hosting, providing such independent server monitorings is not possible.

In that case the website needs personal approach.

XMLRPC attacks:

Today i am writing about very popular reason of such kinds of problems – brute force or massive post data sending  via XMLRPC.

XMLRPC is the WordPress API which is dedicated to help 3rd party services(such as mobile apps) to work with your WordPress website.

There is dedicated php file to connect that API, xmlrpc.php in home folder. So this is some kind of hidden door for your WordPress website.

Possible reason of WordPress slow performance might be XMLRPC attacks which you can prevent


And if your website has got the problem which i have described above (everything is correct, but performance is still slow), closing or locking XMLRPC door may help your website to get better performance.

  1. To close XMLRPC you can add WordPress hook to your theme’s functions.php
    add_filter('xmlrpc_enabled', '__return_false');

    Or you can simple add die(); line to the start line of xmlrpc.php.

  2. But if you do 1st solution, you will not be able to connect to your WordPress website via officilal WordPress Android/IOS apps. If you want to block your website XMLRPC for strangers and keep it available for your apps, you can use Guaven FP plugin.
    1st feature of that plugin can block wp-admin and XMLRPC for everyone except you.
    When you are able to open your wp-admin and to connect your website via apps, strangers will get wp-admin 404 error and empty data correspondingly.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.