The Loop Log

tech mind culture

WordPress Hardening – Part 4: Shutting Down XML-RPC and Author Enumeration

An abstract photo representing interne traffic.

Two major attack surfaces most WordPress users don’t realize are open.

If you’ve followed the series so far, you’ve already locked down your uploads directory and cleaned up your rewrite rules. In this part, we’re going to close two of the most common reconnaissance vectors attackers use to gather information about your site:

  • XML-RPC
  • Author Enumeration

Both are easy to test, easy to fix, and extremely effective at reducing your attack surface.

Understanding XML-RPC (and Why Attackers Love It)

XML-RPC is a legacy feature that allows remote systems to interact with WordPress. It was originally used for:

  • remote publishing
  • mobile app access
  • pingbacks
  • trackbacks

Today, most sites don’t need it, but attackers still use it heavily.

Why XML-RPC is dangerous:

  • It allows brute-force amplification
  • It enables pingback DDoS attacks
  • It exposes authentication endpoints
  • It can be abused even when the login page is protected

If you don’t explicitly need XML-RPC, disabling it is one of the safest hardening steps you can take.

Test Whether XML-RPC Is Enabled

Visit:

https://yourdomain.com/xmlrpc.php

Interpret the result:

  • 403 Forbidden = XML-RPC is blocked
  • 404 Not Found = XML-RPC is disabled or hidden
  • “XML-RPC server accepts POST requests only” = XML-RPC is active
  • A blank white page = XML-RPC is active

If it’s active and you don’t use it, you should disable it.

How to Disable XML-RPC Safely

There are three safe methods:

Method A: Block via .htaccess (recommended)

Add this to your root .htaccess:

# Block XML-RPC
<Files xmlrpc.php>
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order Allow,Deny
        Deny from all
    </IfModule>
</Files>

This blocks all access to the file at the server level.

Method B: Disable via plugin

Security plugins like Wordfence or Disable XML-RPC can block it, but server-level blocking is more reliable.

Method C: Disable pingbacks only (Advanced)

If you need XML-RPC for legitimate purposes (like the WordPress mobile app or Jetpack), you can disable just the pingback functionality instead of blocking the entire file.

Add this to your theme’s functions.php or a custom plugin:

// Block XML-RPC pingback attacks
// Keeps other XML-RPC features working
add_filter('xmlrpc_methods', function($methods) {
    unset($methods['pingback.ping']);
    return $methods;
});

This blocks brute-force pingback attacks while keeping XML-RPC functional for other uses.

Note: Most users should use Method A (complete blocking) unless they have a specific reason to keep XML-RPC enabled.

Understanding Author Enumeration

Author enumeration is a technique attackers use to discover valid usernames.

By default, WordPress exposes author archives like:

/?author=1
/?author=2
/?author=3

WordPress then redirects these to:

/author/username/

This leaks your login username, which is half of a brute-force attack.

Why this matters:

  • Attackers don’t need to guess usernames
  • Bots can enumerate thousands of sites automatically
  • Once they know your username, they hammer the login page

Even if you use strong passwords, exposing usernames is an unnecessary risk.

Test Whether Your Site Is Vulnerable

Visit:

https://yourdomain.com/?author=1

Interpret the result:

  • 404 page = enumeration is blocked
  • Redirect to an author archive = enumeration is active
  • Redirect to a custom slug = username is masked but enumeration still works

The safest result is a 404.

How to Block Author Enumeration

There are several safe methods:

Method A: Use a plugin like Edit Author Slug

This plugin lets you:

  • change public author URLs
  • hide your real username
  • block enumeration attempts

It’s simple and effective.

Method B: Block via .htaccess

Add this rule:

# Block author enumeration
# Prevents username discovery
RewriteCond %{QUERY_STRING} author=\d
RewriteRule ^ - [F]

This returns a 403 Forbidden for enumeration attempts.

Method C: Block via Wordfence

Wordfence includes an option to block user enumeration under:

Wordfence – All Options – Brute Force Protection

This is easy and reliable.

Verify Your Fixes

After applying your changes:

Test XML-RPC again:

https://yourdomain.com/xmlrpc.php

You should see:

  • 403
  • or 404

Test author enumeration again:

https://yourdomain.com/?author=1

You should see:

  • your theme’s 404 page

If both tests pass, you’ve closed two major reconnaissance vectors.

Why These Two Steps Matter

Together, disabling XML-RPC and blocking author enumeration:

  • prevents attackers from discovering usernames
  • stops brute-force amplification
  • reduces automated scanning
  • eliminates a common DDoS vector
  • protects your login page
  • reduces noise in your security logs

These are high-impact, low-risk hardening steps that dramatically improve your site’s security posture.

Coming Up Next: Part 5 – Advanced Hardening: File Editing, REST API, and Optional Enhancements

In the final part of the series, we’ll cover:

  • disabling file editing in the dashboard
  • tightening REST API exposure
  • optional wp-config.php hardening constants
  • plugin/theme hygiene
  • additional best practices

InfiniteLoop

, , , ,