Server load spikes from thousands of POSTs to xmlrpc.php
XML-RPC is barely used anymore but constantly abused for brute-force amplification.
Try this first
- 1Check access logs for spikes on /xmlrpc.php
- 2Add a block in .htaccess or nginx config that denies xmlrpc.php
- 3Or in functions.php: add_filter('xmlrpc_enabled', '__return_false')
- 4Verify Jetpack or mobile apps still work, otherwise selectively whitelist
When to bring us in
If you actively need xmlrpc (legacy apps), restrict via a Cloudflare rule with IP whitelist.
See also
- WordPress, plugins and theme have gone 6+ months without updatesOut-of-date WP is the number-one entry for malware. Don't just hit 'update all', back up first.
- Theme update broke the layout or threw a fatal errorThemes overwrite custom CSS on update unless you use a child theme.
- WordPress shows a blank screen after a plugin install or updateWSOD (white screen of death) is usually one crashing plugin. You isolate it.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.