Skip to content
Read For Learn
Read For Learn
  • Database
    • Oracle
    • SQL
  • C
  • C++
  • Java
  • Java Script
  • jQuery
  • PHP
Read For Learn
  • Database
    • Oracle
    • SQL
  • C
  • C++
  • Java
  • Java Script
  • jQuery
  • PHP

WordPress Security – How to block alternative WordPress access

I figured I’d just look in the Android application’s source code to see how it communicates. You can quickly see XML-RPC in the source.

So another way to access the blog is using WordPress XML-RPC support. It was improved and enabled by default in version 3.5 very recently. I don’t understand why they brought it back without the option to turn it off. It was on until 2.6, then turned off by default, and now it’s back in 3.5

So I found this post. It exaplains how to disable XML-RPC with one line of code which WordPress respects:

In your wp-cinfig.php file, add this line after require_once(ABSPATH . 'wp-settings.php');:

add_filter('xmlrpc_enabled', '__return_false');

This entirely disabled any access I had from the Android application. As of now I’m not getting any site lockout notifications by bad logins, mission accomplished!

Note: Before disabling, I did a test to make sure BWPS does scan bad logins from xmlrpc as well. Locked my self out using my phone on a 3g and got a notification later by email. In case it wasn’t then this whole theory would be questionable. So do yourself a favor and disable xmlrpc now! Unless you actually use it and you’re not under constant attacks from Turkish ip addresses.

Related Posts:

  1. How to Get Logged-in to “Remote WP Site” from my local script (in Same Browser)?
  2. Is there any way to rename or hide wp-login.php?
  3. Increase of failed login attempts, brute force attacks? [closed]
  4. How to fake a WordPress login?
  5. Brute force attack?
  6. Receiving “This content cannot be displayed in a frame” error on login page
  7. Give visitor access to password protected page/post via external script
  8. Websites defaced by uploading script using theme editor
  9. Make wordpress admin failed login attempt return 401
  10. Remote REST request to check login status
  11. WordPress login urls
  12. Store brute-force IP addresses
  13. How to create a private login page for admin.?
  14. Protecting WordPress login page
  15. wp-admin folder, brute force, and password protection
  16. Sniffing wordpress user’s credentials
  17. What would be the best way to implement Magic Link logins in WordPress?
  18. disable site_url redirect in wp-login.php
  19. SSO to WP, from a non-wp site on a different domain and server
  20. Login with serialized password
  21. Does WordPress (or a plugin) reveal login credentials to admin?
  22. Is wp_login_form secure on a non secure page?
  23. Is the login encrypted before it is sent? If so how to do I encrypt it the same way?
  24. WordPress login security
  25. Why isn’t the login page rate limited by default?
  26. How can I password protect a WordPress site without requiring users to log in?
  27. Input sanitation
  28. How to Prevent Brute Force Attack on WordPress
  29. Advice on redirect to lock site from unauthorized users
  30. Where is the php file, that does the checks for login information?
  31. Error on WordPress Login
  32. Access log “POST /wp-login.php HTTP/1.0” 400
  33. force login loophole
  34. I need to find which is the file that checks the DB for correct login (username, password)
  35. How to create separate login for authors/moderators/subscribers?
  36. How to invalidate `password reset key` after being used
  37. Set logged in user based on API response
  38. Site is not loading after relogin attempts on SSL
  39. Log in to wordpress after executing another form function
  40. Some crawlers/bots attempting to login with very good guesses. How?
  41. Login user after registration programmatically
  42. Hide wp-login.php but not the widget
  43. How login is possible, if I deny login page via nginx?
  44. Login page ERROR: Cookies are blocked due to unexpected output
  45. Separate registration and login for different roles
  46. How reduce wordpress login session timeout time?
  47. Login members using web services
  48. Why does WordPress hide the reset password key from the URL?
  49. Which ways can be used to log in to WordPress?
  50. wp_login action hook not working
  51. How do I extend auto logout on idle OR redirect inline popup
  52. Positioning the “Lost your password?” and “← Back to Site”
  53. Change to nofollow tag in wp-login.php
  54. Validate Custom Login field
  55. How to set different cookies for logged in admin users and logged in non admin users?
  56. Is it possible a one click user registration with Facebook or Twitter (or other Social Networks)?
  57. Restricting frontend acess based on user role otherwise redirect to login form
  58. Where is the query and form in wp-login.php?
  59. Is it safe to manually sign a user in using AJAX?
  60. How to edit .htaccess to change site’s login url?
  61. redirect to homepage after login
  62. auto login after registeration for wp-members plugin
  63. Passing username to login screen
  64. v5.6.2 User cannot stay logged in – wordpress_test cookie placed but not auth cookies
  65. How to set JWT token with PHP on successful login?
  66. wp-admin redirects to subdirectory after moving installation to subdirectory
  67. Forcing SSL login, have to log in again from WP/BP-Admin Bar
  68. Call header and footer on wordpress default login page
  69. Notifications when someone is on the site
  70. How to password-protect everything except the logo
  71. Generate email on meta value update
  72. how can redirect sign in and sign out link front-end page rather then wp-login .php in comment form in wordpress
  73. Custom code needed to be executed on login and logout
  74. Single Time Login HELP
  75. Allow Access to Home Page and Login Screen but Nothing Else (unless logged in)
  76. Reloading page with a query string upon login for admins
  77. Alert Message through email or phone(Message)
  78. Custom login page problem!
  79. Looking up WordPress account information from Host or php files
  80. Multiple issues with Ajax login function due to browsers and cookies
  81. Allow login only for one account from one device
  82. Custom failed login error messages for users based on user role?
  83. Recognize custom login page as wp-login.php
  84. Create a login page which redirects to a specific page?
  85. how to add social login option in wordpress
  86. Why deleting/removing cookies in WordPress does not log me out from admin?
  87. How to use google api for wordpress login
  88. Avoiding accidentally creating a second account at “Or log in with your existing social profile”
  89. display last login date in the frontend
  90. How user should automatically activated and go for login?
  91. How to lock WordPress front-end with login and password?
  92. Disabling the login form and redirect users on logout without headers sent php warning
  93. How to force login after user browses for a few minutes or browses a few pages?
  94. Cannot login with correct username and password anymore
  95. How to resolve these findings from security audit
  96. Warning-session start errors and cannot login to administer
  97. make a login system for site visitors
  98. WordPress – Security Question at Login from User’s Meta Data
  99. issue with my wp site after login
  100. How to create a fully functional user registration in WordPress?
Categories login Tags login, remote, remote-login, security
Multisite development environment
Retrieving data from specific multisite blog

Recommended Hostings

Cloudways: Realize Your Website's Potential With Flexible & Affordable Hosting. 24/7/365 Support, Managed Security, Automated Backups, and 24/7 Real-time Monitoring.

FastComet: Fast SSD Hosting, Free Migration, Hack-Free Security, 24/7 Super Fast Support, 45 Day Money Back Guarantee.

Recent Added Topics

  • Bug in translation system: load_theme_textdomain() returns true, files are available and accessible but the language defaults to english
  • Custom Elementor controls not appearing in the widget Advanced tab using injection hooks
  • Get the name of the template/*html file used
  • Trying to Add Paging to Single Post Page
  • Sharing media files between live and staging servers
  • How to display the description of a custom post type in the dashboard?
  • Critical error on image display
  • Copying WP data and files into new install?
  • How to determine the DirectAdmin WordPress backup date?
  • How to get list of ALL tables in the database?
© 2026 Read For Learn
  • Database
    • Oracle
    • SQL
  • algorithm
  • asp.net
  • assembly
  • binary
  • c#
  • Git
  • hex
  • HTML
  • iOS
  • language angnostic
  • math
  • matlab
  • Tips & Trick
  • Tools
  • windows
  • C
  • C++
  • Java
  • javascript
  • Python
  • R
  • Java Script
  • jQuery
  • PHP
  • WordPress