Security Researcher Detected: You might have ended up here because your site vulnerability scanner found something interesting. Hi! I'm a security engineer and I'm having a good time interacting with the people and bots that are interested in information security.
You will hopefully find this site is well-secured and I'm not interested in being hacked. I'm interested in learning about how people try to hack me, though.
What is this endpoint?
xmlrpc.php
WordPress XML-RPC endpoint, frequently abused for brute-force amplification and pingback DDoS
What an attacker could do
This endpoint enables `system.multicall` password brute-force amplification (hundreds of login attempts per request) and pingback-based reflective DDoS and SSRF against third parties.
How to defend it
Disable XML-RPC entirely if unused (via plugin or `add_filter('xmlrpc_enabled','__return_false')`), or block the file at the web-server level and disable the pingback method.
Connect with the Security Engineer
Learn More
Want to dive deeper into this topic? Check out the official documentation.
Read Official Documentation