What is an XML-RPC attack in WordPress?

It exploits the xmlrpc.php endpoint to perform brute force login attempts or amplify DDoS attacks.

How do you detect XML-RPC attacks in logs?

Look for repeated POST requests to /xmlrpc.php from the same IP address, often returning a 200 OK status.

How to disable XML-RPC in WordPress?

Disable it via .htaccess rules, Nginx configuration, or security plugins if the legacy API is not required.

Brute Force

xmlrpc.php WordPress Attacks (Log Examples + Detection Guide)

See real xmlrpc.php payloads in WordPress access logs. Learn how to detect credential stuffing instantly and block XML-RPC abuse at the server level.

Log Signature Detected: If you're seeing "103.45.67.89 - - [02/Apr/2026:14:32:01 +0000] "POST /xmlrpc...." in your logs, your server may be under a Brute Force attack.

Real Log Example

access.log

103.45.67.89 - - [02/Apr/2026:14:32:01 +0000] "POST /xmlrpc.php HTTP/1.1" 200 431 "-" "Mozilla/5.0"
103.45.67.89 - - [02/Apr/2026:14:32:02 +0000] "POST /xmlrpc.php HTTP/1.1" 200 431 "-" "Mozilla/5.0"
103.45.67.89 - - [02/Apr/2026:14:32:03 +0000] "POST /xmlrpc.php HTTP/1.1" 200 431 "-" "Mozilla/5.0"

Think your server is currently experiencing a Brute Force?

Don't guess. Paste your actual server logs into our Neural Engine to instantly verify if this attack is active.

Scan My Logs Now

Analyzed in-memory. Zero data retention.

What Is a Brute Force?

Security analysts and DevOps teams monitoring infrastructure like Nginx, Apache HTTP Server, Node.js, AWS, and WordPress must be able to quickly identify and triage these malicious log patterns to prevent data breaches.

The xmlrpc.php endpoint in WordPress is commonly targeted by attackers to perform brute-force login attempts or amplify DDoS attacks.

Even though the request returns a 200 status, it may still indicate malicious activity, especially if repeated frequently. This requires a different mitigation strategy than block xmlrpc.php with Nginx config.

Attackers exploit this endpoint because it allows multiple authentication attempts in a single request, making brute-force attacks highly efficient.

How to Detect xmlrpc.php WordPress Attacks (Log Examples + Detection Guide) in Logs

Method Specificity: Normal web browsing relies on GET requests. XML-RPC attacks rely exclusively on POST requests to the /xmlrpc.php file.

False Positives (200 OK): Because XML-RPC handles the authentication logic internally, even failed password attempts will return a 200 OK in the access log. You must look at the frequency of the requests, not the HTTP status code.

IP Source: These attacks rarely come from standard residential ISPs; they usually originate from known datacenter IPs or Tor exit nodes.

Brute Force Attack Detection Checklist

Pattern	Indicator	Severity
Repeated POST to /xmlrpc.php	WordPress credential stuffing	Critical
200 OK on xmlrpc.php from same IP	Brute force masked by normal status	High
Datacenter or Tor exit node source IP	Non-residential attack origin	High

How to Defend Against This Threat

Disable XML-RPC if not required using plugins or server configuration.
Use a firewall to block repeated requests to xmlrpc.php.
Enable rate limiting to prevent abuse.

Related Log Threats

SQL Injection

SQL Injection in WordPress Logs

Identify SQL injection attacks targeting WordPress plugins and login forms.

Read guide

Brute Force Attack

Brute Force Attack in Apache Logs: Detection & Fix

Learn how to detect and mitigate brute force attacks targeting Apache environments effectively.

Read guide

Vulnerability Scan

Suspicious curl User Agents (Scanning Log Examples + Fix)

See real curl and wget user agents in server logs. Detect automated reconnaissance scripts instantly and learn how to block automated command line tools.

Read guide

DDoS

429 Too Many Requests (Bot Attack Examples + Detection Guide)

See real HTTP 429 Too Many Requests logs. Learn how to differentiate between normal traffic spikes and automated DDoS attacks instantly using server logs.

Read guide