Title: Securing xmlrpc
Last modified: August 21, 2016

---

# Securing xmlrpc

 *  [davorg](https://wordpress.org/support/users/davorg/)
 * (@davorg)
 * [12 years, 8 months ago](https://wordpress.org/support/topic/securing-xmlrpc/)
 * A couple of days ago I got an email from my hosting company saying that they 
   had received complains from a third party about “attacks” from my server. They
   were very unclear about what the attacks were, but I investigated and discovered
   many hundreds of requests being made to my xmlrpc URL.
 * They were all coming from the same IP address, so I blocked that address. But
   a minute or so later they started up again from another address. Having repeated
   that process I few times, I got bored and just renamed my xmlrpc file.
 * That’s only a temporary solution though. I use the WordPress Android app, so 
   I need access to xmlrpc (I think that’s correct – please let me know if I’m wrong).
 * So I have two questions:
 * 1/ Is it possible to make xmlrpc available in a way that allows only authorised
   users to have access to it? What do other sites do to prevent this kind of abuse?
 * 2/ Is it possible to see exactly what this attacker was doing? As the HTTP requests
   were POSTs, in the web sever access log I get no details of the parameters used.
   Are these logged somewhere by WordPress?
 * Any advice would be very welcome.
 * Thanks,
 * Dave…

The topic ‘Securing xmlrpc’ is closed to new replies.

## Tags

 * [xmlrpc](https://wordpress.org/support/topic-tag/xmlrpc/)

 * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
 * 0 replies
 * 1 participant
 * Last reply from: [davorg](https://wordpress.org/support/users/davorg/)
 * Last activity: [12 years, 8 months ago](https://wordpress.org/support/topic/securing-xmlrpc/)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics