XML-RPC Exposure Checker

Last updated:

Check whether xmlrpc.php is exposed on your WordPress site. We test if the endpoint responds, lists methods, or allows pingback, then rate the risk and tell you how to lock it down.

Enter a WordPress site URL:

How the Checker Works

  1. Probe xmlrpc.php, a harmless request is sent to the endpoint.
  2. Read the response, status codes and method lists are parsed.
  3. Check pingback, the tool notes whether pingback is enabled.
  4. Rate the risk, you get a clear verdict and a fix.

Why It Matters

  • Brute-force amplification, system.multicall lets attackers try many logins at once.
  • Pingback abuse, the endpoint can be used for reflected attacks.
  • Smaller attack surface, disabling unused endpoints is good hygiene.
  • Server load, blocking abuse reduces wasted resources.

xmlrpc.php Risks & Mitigations

xmlrpc.php is enabled by default but most modern sites do not need it, since the REST API now handles publishing and app integrations. These are the specific ways it is abused and how to shut each one down. If you do not use the WordPress mobile app, Jetpack features that require it, or remote publishing, disabling it entirely is the safest choice.

Risk Why it matters Fix
Brute-force amplification system.multicall packs hundreds of login guesses into one request, slipping past request-count rate limits. Disable xmlrpc.php at the server, or block system.multicall and add strict rate limiting.
Pingback DDoS pingback.ping makes your server fetch arbitrary URLs, so many sites can be aimed at one victim as a reflected DDoS. Remove pingback methods via a filter on xmlrpc_methods, or disable XML-RPC outright.
SSRF / port scanning The same pingback fetch can target internal addresses to map or probe services behind your firewall. Disable pingback and XML-RPC; do not rely on the endpoint being internal-only.
Unneeded attack surface An enabled endpoint you never use is pure risk with no benefit, and a target for future method vulnerabilities. If unused: add_filter('xmlrpc_enabled', '__return_false'); plus a server deny rule on the file.
Needed but exposed Some integrations (legacy apps, Jetpack) still require XML-RPC, but full public exposure is unsafe. Allowlist the integration's IPs, enforce 2FA and rate limits, and remove pingback methods.

Locking down xmlrpc.php correctly, without breaking an integration you depend on, is part of what our WordPress website maintenance services handle, alongside firewalls, updates, and uptime monitoring.

Next steps

XML-RPC Exposure Checker related tools and articles

Continue with the closest follow-up checks and guides based on this tool's topic, crawl intent, and optimization workflow.

XML-RPC Exposure Checker: FAQ

How does the checker test xmlrpc.php?
It sends a GET request to /xmlrpc.php and looks for the standard POST-only response or HTTP 405. When the endpoint looks live, it sends a harmless system.listMethods XML-RPC request to see whether methods can be listed.
What do Exists and Enabled mean?
Exists means the status, standard response text, or method response resembles a WordPress XML-RPC endpoint. Enabled means that signal was found without a 403 or 404 status; it is a heuristic and does not prove every method is callable.
How is pingback exposure detected?
If system.listMethods returns a recognizable method array, the tool checks whether pingback.ping appears in that list. It does not send a pingback or attempt SSRF, denial of service, password guessing, or any exploit.
How should I interpret the XML-RPC risk level?
A reachable endpoint is labeled medium, and a listed pingback.ping method is labeled high. This prioritization is specific to the tested signals, not a complete security assessment of WordPress, the server, or protective controls.
Is XML-RPC always unnecessary?
No. Jetpack, WordPress mobile publishing, remote clients, and some integrations can depend on it. Confirm actual dependencies before blocking the endpoint, then test those workflows after any change.
What should I do if XML-RPC is enabled?
If nothing requires it, block xmlrpc.php at the server or with a trusted security control. If it must remain, consider disabling pingbacks, enforcing strong authentication and multifactor protection, limiting requests, and monitoring abuse.
Why can a firewall or plugin change the result?
The requests have 12-second timeouts and read limited public response samples without your cookies. A WAF can return 403, challenges, custom 200 pages, or different behavior by location, causing a false positive or negative.
Is the URL or XML-RPC response stored?
The URL is sent to WebAloha's server for the live GET and possible method-list POST. This endpoint does not save the URL, response sample, listed methods, or result to a database or result cache.

Free 48-Hour Website Audit

Not sure what to fix first on your own website? We'll review it and tell you, in plain English. Free & non-obligatory.

Want a Hardened, Fast WordPress Site?

We secure, speed up, and maintain WordPress sites so they stay safe and rank well.