Skip to content
Vulnity Vulnity Docs

XML-RPC Attack Detection

Alert ID: xmlrpc_attack MITRE ATT&CK: T1110 – Brute Force · T1498 – Network Denial of Service

Severity / Criticality

Section titled “Severity / Criticality”
LevelCondition
Medium5–6 requests in 5 minutes
High7–9 requests in 5 minutes
Critical10 or more requests in 5 minutes

Why is it considered malicious?

Section titled “Why is it considered malicious?”
  • Attack amplification: system.multicall allows multiple login attempts in a single request.
  • Efficient brute force: bypasses conventional rate limiting.
  • DDoS vector: pingback.ping floods target servers.
  • User enumeration: through wp.getUsersBlogs.
  • Legacy protocol: XML-RPC is unnecessary in many modern WordPress deployments.

When does the alert trigger?

Section titled “When does the alert trigger?”
  • Threshold: 5 requests to xmlrpc.php in 5 minutes from one IP.
  • Tracking: IP-based sliding window.
  • Monitored methods:
    • system.multicall
    • wp.getUsersBlogs
    • pingback.ping
  • Reset: the tracking window resets after the alert triggers.

Technical Indicators (IOCs)

Section titled “Technical Indicators (IOCs)”
TypePattern / ExampleDescription
log_patternPOST /xmlrpc.phpRequest to the XML-RPC endpoint
networksystem.multicallAmplified brute-force attack
networkwp.getUsersBlogsValid-user enumeration
networkpingback.pingPingback-based DDoS attacks

Common false positives

Section titled “Common false positives”
  • Legitimate Jetpack connections.
  • Official WordPress mobile apps.
  • Plugins that use remote publishing.
  • Legitimate trackback/pingback services.

Investigation steps

Section titled “Investigation steps”

  1. List requests:

    Terminal window
    grep xmlrpc.php access.log | grep POST

  2. Analyze payloads:

    Terminal window
    tcpdump -A -s 0 'tcp port 80 and host [IP]'

  3. Identify purpose:

    • system.multicall → brute-force attack.
    • pingback.ping → DDoS.

  4. Assess impact: 200 responses (successful) versus 403/404 responses (blocked).

Section titled “Recommended mitigations”

=== “Immediate”

!!! danger ""
    - Block the attacking IP in the firewall or WAF.
    - Apply rate limiting specifically to `xmlrpc.php`.
    - Disable XML-RPC completely if it is not used.

=== “Preventive”

!!! tip ""
    In `.htaccess`:


    ```apache
    <Files xmlrpc.php>
    Require all denied
    </Files>
    ```


    In `functions.php`:


    ```php
    add_filter('xmlrpc_enabled', '__return_false');
    ```


    - Install the **Disable XML-RPC** plugin.
    - Implement XML-RPC-specific WAF rules.
    - Configure a **Fail2ban jail** for this endpoint.

References

Section titled “References”
  • WordPress XML-RPC Documentation
  • Sucuri – XML-RPC Attack Analysis