Title: Brute forcing xmlrpc.php
Last modified: May 11, 2017

---

# Brute forcing xmlrpc.php

 *  Resolved [Rob Cubbon](https://wordpress.org/support/users/robcub/)
 * (@robcub)
 * [9 years ago](https://wordpress.org/support/topic/brute-forcing-xmlrpc-php/)
 * It says on your blog that brute forcing xmlrpc.php attacks “are completely ineffective
   if you’re using Wordfence because we simply block the attacker after they reach
   the login attempt limit”.
 * However, it may be possible for attackers to leverage the system.multicall method
   to attempt to guess hundreds of passwords within just one HTTP request on xmlrpc.
   php. Is that true? In which case, the limit to login attempts may not be as effective.
 * Does your plugin block system.multicall requests to xmlrpc.php ?
 * I don’t use Jetpack or anything that uses xmlrpc.php – do you recommend users
   such as myself to block access to xmlrpc.php in the .htaccess ?

Viewing 1 replies (of 1 total)

 *  [wfyann](https://wordpress.org/support/users/wfyann/)
 * (@wfyann)
 * [9 years ago](https://wordpress.org/support/topic/brute-forcing-xmlrpc-php/#post-9124638)
 * Hi [@robcub](https://wordpress.org/support/users/robcub/),
 * Yes, Wordfence does protect against multiple attempts via a single XML-RPC call.
   [This post](https://www.wordfence.com/blog/2015/10/wordpress-xml-rpc-brute-force-attacks-amplification-multiple-logins/)
   on our blog discusses the _XML-RPC Brute Force Attacks with multiple logins_.
 * Please note that for this to work, the [login security](https://docs.wordfence.com/en/Wordfence_options?#Enable_login_security)
   option **must be enabled**.

Viewing 1 replies (of 1 total)

The topic ‘Brute forcing xmlrpc.php’ is closed to new replies.

 * ![](https://ps.w.org/wordfence/assets/icon.svg?rev=2070865)
 * [Wordfence Security - Firewall, Malware Scan, and Login Security](https://wordpress.org/plugins/wordfence/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/wordfence/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/wordfence/)
 * [Active Topics](https://wordpress.org/support/plugin/wordfence/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/wordfence/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/wordfence/reviews/)

## Tags

 * [brute force](https://wordpress.org/support/topic-tag/brute-force/)
 * [xmlrpc](https://wordpress.org/support/topic-tag/xmlrpc/)

 * 3 replies
 * 3 participants
 * Last reply from: [wfyann](https://wordpress.org/support/users/wfyann/)
 * Last activity: [9 years ago](https://wordpress.org/support/topic/brute-forcing-xmlrpc-php/#post-9124638)
 * Status: resolved