XML-RPC is a procedure that uses XML file encoding to make a remote call to your website. It is commonly used in WordPress blogs to allow a website owner to publish new posts using an editor like the WordPress mobile app.
Until 2015, WordPress had disabled access to the xmlrpc.php file by default. In 2015, the WordPress team decided to enable it again, taking into consideration a big increase in mobile browsing and new security enhancements.
While greater security is good news, the xmlrpc.php file is still commonly targeted by brute force bots. These nuisance requests can consume the CPU/memory resources on your hosting plan and slow down your website. Security plugins can be useful in blocking bots. If they are still causing an issue and you don't have any need for xmlrpc.php to be enabled, you might want to completely disable access to xmlrpc.php using an .htaccess file.
You'll need to modify the .htaccess file which normally exists in the public_html directory of your website.
You should add this code to the file:
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>
If you use JetPack, here is alternative code which allows JetPack access but no one else:
<Files xmlrpc.php>
order deny,allow
deny from all
allow from 122.248.245.244/32
allow from 54.217.201.243/32
allow from 54.232.116.4/32
allow from 192.0.80.0/20
allow from 192.0.96.0/20
allow from 192.0.112.0/20
allow from 195.234.108.0/22
</Files>
The code above is only an example. Please keep a copy of your original .htaccess file in case you need to revert it.
Once you have amended the code, please test your website to make sure it's working as you'd expect.
If you encounter any issues, please open a support ticket and our team will be happy to investigate.
Updated by SP on 23/11/2022
