Menu

All help articles

XML-RPC on Flywheel

Updated on January 9th, 2023

Note

By default, XML-RPC is blocked on all Flywheel sites. If one of your sites needs XML-RPC access, please reach out via chat and one of our Happiness Engineers can enable access to it for your site.

XML-RPC stands for extensible markup language remote procedure calls, but for simplicity, we can think of it as the legacy WordPress API. It was a method to allow remote access to a WordPress site for apps and third-party services to manage a site. For example, the WordPress Mobile App, Zapier, or trackbacks and pingbacks.

In WordPress 4.4, they added a new REST API to WordPress core, essentially replacing the need for XML-RPC. However, they still keep XML-RPC around for backward compatibility with some services that might still be using it.

What is an XML-RPC attack?

The main attack on a WordPress site from XML-RPC comes in the form of a brute force or password guessing attack. Because the WordPress XML-RPC path is so well known, example.com/xmlrpc.php, malicious bots will try to detect that on a site, and attempt to guess a username and password for an admin user giving them access to the site.

These brute force attacks can slow down the site significantly from repeated attempts and can have a similar effect as a Denial of Service attack using up server resources, causing a site to go down.

Another non-attack issue that could come from allowing XML-RPC access is trackbacks and pingbacks. They are a way of alerting sites that a post has been linked to from another site. If a popular post was linked to many times, this could also cause Denial of Service to the site.

How does Flywheel protect my sites from XML-RPC attacks?

The number of sites that still need to use XML-RPC has dropped significantly over the last few years since WordPress introduced a REST API. Because of this, at Flywheel, we block XML-RPC access by default for all sites. With that being said, we do still allow access to some well-known services that are still using it.

Need help?

If you have any questions our Happiness Engineers are here to help!

Was this article helpful?

Yes No
or contact Support

Getting Started

New to Flywheel? Start here, we've got all the information you'll need to get started and launch your first site!

View all

Account Management

Learn all about managing your Flywheel user account, Teams and integrations.

View all

Billing

Everything about billing, invoices and payments can be found here.

View all

Features

Flywheel hosting plans include a ton of great features. Learn about how to get a free SSL certificate, set up a staging site, and more!

View all

Platform Info

All the server and setting info you'll need to help you get the most out of your Flywheel hosting plan!

View all

Site Management

Tips and tricks for managing your sites on Flywheel, including going live, troubleshooting issues and migrating or cloning sites.

View all

Developer Hub

Learn how to connect, deploy, and more with SSH on Flywheel's platform.

View all

Growth Suite

Learn more about Growth Suite, our all-in-one solution for freelancers and agencies to grow more quickly and predictably.

View all

Managed Plugin Updates

Learn more about Managed Plugin Updates, and how you can keep your sites up to date, and extra safe.

View all

Local

View the Local help docs

 

Flywheel help

Help is just a click away! Log into Flywheel dashboard to instantly chat with an expert, respond to a ticket, or follow along with in-depth documentation. We happily offer support 24 hours a day, 7 days a week, 365 days a year!

Log in

Try Flywheel today

Launch your next site on WordPress in minutes.

 Free migrations  24/7/365 support  14 day demo sites
Get started
Features
Flywheel for
Resources
Company
Customers

© 2013–2024 WPEngine, Inc. All rights reserved.
WP ENGINE®, VELOCITIZE®, TORQUE®, EVERCACHE®, and the cog logo service marks are owned by WPEngine,Inc. | Privacy Policy

1WP Engine is a proud member and supporter of the community of WordPress® users. The WordPress® trademarks are the intellectual property of the WordPress Foundation, and the Woo® and WooCommerce® trademarks are the intellectual property of WooCommerce, Inc. Uses of the WordPress®, Woo®, and WooCommerce® names in this website are for identification purposes only and do not imply an endorsement by WordPress Foundation or WooCommerce, Inc. WP Engine is not endorsed or owned by, or affiliated with, the WordPress Foundation or WooCommerce, Inc.