WordPress Xmlrpc 403


Unlock live chat support when you upgrade your WordPress.com plan today.
SALE! Use code UPGRADE20 for 20% off at checkout.

Need help? Check out our Support site, then

403 Forbidden

Add a custom form have this error
403 Forbidden
Access to this resource on the server is denied!
Powered By LiteSpeed Web Server
LiteSpeed Technologies is not responsible for administration and contents of this web site!
and i cheched xmlrpc
XML-RPC server accepts POST requests only.
and how can solved it
Blog url: http://iliyahaddad.wordpress.com/

The blog I need help with is iliyahaddad.wordpress.com.

http://iliyahaddad.wordpress.com/ seems to be fine. Were you referring to a different blog? If so, what is the URL?

i used jetpack in wordpress and Add a custom have a problem

403 Forbidden
Access to this resource on the server is denied!
Powered By LiteSpeed Web Server
LiteSpeed Technologies is not responsible for administration and contents of this web site!

and i cheched xmlrpc
XML-RPC server accepts POST requests only.

in the part (Contact Form) when click on icon in page
show me this error

403 Forbidden
Access to this resource on the server is denied!
Powered By LiteSpeed Web Server
LiteSpeed Technologies is not responsible for administration and contents of this web site!

please help me
i have last ver of wordpress and jetpack but i cant use Contact Form

Hm, that’s very strange. Which version of Jetpack are you running, and which version of WordPress?

ver wp is 3.4.2
ver jetpack is 1.8.3

Hm, that should be fine.

Would you please try with all other plugins temporarily disabled?

Theme functions can sometimes interfere too, so if disabling all other plugins made no difference, try temporarily switching to the Twenty Eleven theme.

i do all things that you said to me but dont work
and i have only problem with contact form
and other parts of hetpack work good
and dont know what is problem
but i leave it now

Would you please try upgrading to Jetpack 1.9.1 to see if that makes any difference?

yes i do it and
everythings do works but contact form do not
i think that contact form have a link to host and need a option on host
but i do not know what’s it
that i can solved this problem
thank you

Are you referring to how the contact form works on http://www.xpercia.com/?page_id=30 or when you try to add a contact form to a page?

problem is here:
my http server is LiteSpeed and dont support jetpack(contact form) codes on Web Server.

yes when i try to add a contact form to a page give me this error that:
403 Forbidden
Access to this resource on the server is denied!
Powered By LiteSpeed Web Server
LiteSpeed Technologies is not responsible for administration and contents of this web site!

and about page_id=30 it is not jetpack tools
this is a plugin that make contact form

We should be supported just fine on LiteSpeed.

Have you contacted your hosting provider about this? They may find something helpful in their error logs if you can trigger the error again and provide them with the date and time.

i solved it:
i should put them to .htaccess and end

# BEGIN WordPress

RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond % !-f
RewriteCond %
RewriteRule . /index.php [L]

# END WordPress

they are master codes
thank you

That’s odd, those should have been there already if you were using permalinks.

Which part of the above segment was missing?

permalinks is default mode
and .htaccess havent it

RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond % !-f
RewriteCond %
RewriteRule . /index.php [L]

and it show that jetpack (contact form) cant access to index.php
have fun

Ok, sounds like maybe a bug or misconfiguration in LiteSpeed prevented your .htaccess file from being written, as we have several Jetpack installations under LiteSpeed without this issue.


Un blog de Seguridad Informática, desde un punto de vista tecnológico

WordPress XMLRPC brute force attacks via BurpSuite

Hello to everyone, my name is Lara and this is my first post, I wish you will enjoy and it will be helpful. 🙂

Nowadays brute force attacks are very common on the internet on servers and applications. Probably if you have a server online you are able to see this kind of attacks through your server logs. The most common attack surfaces are ssh service, web server or could be via authentication form on your web page (application based attack).

WordPress is a well-known CMS (Content Management System), brute force attacks against it are very common and usually attackers use the authentication form, however, is not the only way that the malicious guys can do it.

What is XML-RPC interface?

“It’s a specification and a set of implementations that allow software running on disparate operating systems, running in different environments to make procedure calls over the Internet.
It’s remote procedure calling using HTTP as the transport and XML as the encoding. XML-RPC is designed to be as simple as possible, while allowing complex data structures to be transmitted, processed and returned.”

XML-RPC functionality is turned on by default since WordPress 3.5, but not all the WordPress administrators know this functionality and this utility, because of this, they do not protect properly the XML-RPC interface.

Ok, then, the question is, why WordPress uses this interface?

Basically, WordPress uses this interface to post directly to your blog using weblog clients or email apps and for the pingback and trackback functionality.

There are a lot of plugins in WordPress that you can use to prevent brute force attacks through the login form, but to avoid this kind of attack through XML-RPC interface is a bit more complicated. To do so, you need to modify the .htaccess file and disable the XML-RPC interface (if you don’t want to use it).

In this article, I am going to cover how to perform brute force attacks against WordPress XML-RPC interface.

Brute force attack.

There are two types of brute force attack that we can do against XML-RPC interface.

– Simple brute force attack : You can try in each request one user and one password
– Amplification brute force attack available till version 3.5.1 of WordPress: You can try in each request more than one user and password.

The attack ( Simple brute force attack )

To check if the XML-RPC interface is enabled in the WordPress you can use the following URL:

If you can see this in your browser means that the xmlrpc.php interface is enabled.

Next step we will check if is possible interact directly with the WordPress API. To do this we have to create a file to check if the WordPress accepts POST request.

Write the following XML code to the file:

The xmlrpc.php file needs the valid XML sent to it as a POST request. The easiest way to do this in Linux is to use CURL. The following command will send the XML contained within the ‘demo.sayHello.txt’ file as a POST request to the remote WordPress API:
curl –data @hello.txt http://url/xmlrpc.php

The expected server response should look like the following:

So far we checked that we are able to do API calls on the WordPress. We will use another API call to achieve our objective, get a valid user and password by doing a brute force attack.

The method that we will use is wp.getUsersBlogs.

Firstly we need to create a file with the valid XML code to call the API method.

The file should contain this code

Then we should call the method, to checked if the user and password are correct.

As we can see, as follow the API respond us with the result of the API call.

At this point, we know how to check if the credentials are valid trough XML-RPC interface, but in this way is a tedious task to do.

Our goal is to intercept the request in a web proxy, (we will use burp suite), and automate the task.

As we can see before to make the API call we use curl, if we want to automate the attack we should configure curl to send the request trough the web proxy.

curl –data @getusers.txt http://url/xmlrpc.php –proxy localhost:8080

With the previous command, we will send the request trough the web proxy, and we will be able to start our brute force attack.

Intercept the request by burpsuite

At this point the next step is to send the request to the Intruder module in BurpSuite, this module will permit us to automate the attack.

We have to choose the parameters that we want to make the attack, in this case, we will put the focus, on the second parameter (the password).

Choose the position for the payload

Step forward we have to choose the payloads that we want to use, as you can see the picture we will use a password list.

After this, we only have to click the button “start attack”.

Choose payloads file

Finally, we only need to cross our fingers and wait a little bit to see the results.

Get the correct credentials

If you are lucky, you will get the credentials, and after this, you can access the system. Congratulations!

Leave your comments and your questions if you have any doubt! I’m will happy to help you.


Block wp-login


Block Access to wp-login.php

This plugin does the following:

1) Locates wp-login.php in your WordPress installation and duplicates it
2) Locates .htaccess and inserts lines to block the default wp-login.php and creates a new secret address to use for legitimate login
3) Allows you to reduce load on the server by optionally blocking admin-ajax.php, wp-cron.php, xmlrpc.php and robots.txt

When installed your server will return “403 Forbidden“ when attempts are made to access the default wp-login.php file. This has two benefits; it prevents hackers from using brute force methods to hack your website and it reduces the load on the server when such brute force attacks are launched on your site as WordPress isn’t run at all.


Easily prevent access to the default wp-login.php file:

1) Install Block wp-login automatically or by uploading the ZIP file.
2) Activate the plugin through the ‘Plugins’ menu in WordPress.
3) Once activated, visit “Settings – Permalinks” in the admin menu.
4) At the bottom of the page tick the box next to “Block wp-login”
5) Make sure you make a note of the new address you will need to use to sign in and confirm
6) Choose if you would also like to block admin-ajax.php, wp-cron.php, xmlrpc.php and robots.txt
6) Save the settings

Although this plugin now detects when WordPress has been upgraded and re-installs itself, when upgrading WordPress core, you should still make sure you deactivate this plugin first.

How to Block XML-RPC Attacks on CentOS & cPanel Servers

XML-RPC is a protocol that uses XML to encode the calls and HTTP as a transport layer for its communication. XML-RPC means literally: XML Remote Procedure Call. It’s widely used in web applications, specilly by CMS like WordPress. Today we will show you how to Block XML-RPC Attacks easily.

WordPress uses this XML-RCP to extend its functionality and features, it was enabled by default since WordPress v.3.5.

Why would I need XML-RPC enabled on WordPress?

More than 50% of WordPress users don’t need this XML-RCP feature enabled, but there is no easy way for WordPress users to disable the feature from an option from the WP administration panel.

On the other hand, there are WP users who do use this function, but they don’t know it. Remote plugins and apps who launch requests against xmlrpc.php script need this. For example a popular WordPress Plugin called JetPack, or the official WordPress Mobile Apps, to mention another example.

The downface of XML-RCP

In the past years, web hosting providers, ISPs and WP end users, have seen many WordPress installations taken down by DDOS attacks against this XMLRPC functionality, it is still used to launch floods and exploit outdated WordPress installations.

So, that’s why today we are going to review some ways to stop the WordPress XML-RPC attacks, from user side and from server administrator side.

How can I Block XML-RPC Attacks on WordPress?

Let’s see how to Prevent WordPress XML-RPC attacks on the two most popular web servers: Apache and Nginx

1) Block access to xml-rpc.php files from your website

For Apache users:

Place this code inside a .htaccess file:

Make sure you replace XX.XX.XX.XX with your real IP in case you want to whitelist some server IPs or your static ISP IP in case you need to launch request against xml-rpc.php file.

For Nginx users:

Reload Nginx to apply changes:

2) Stop XML-RPC attacks using Mod_Security Rules

ModSecurity is a web application firewall that helps users to stop common web based attacks like sql injections, DOS and other kind of common HTTP attacks. In this case, it’s useful top stop xml-rcp attacks.

I’ve found two rule-sets that seem to be working, but I haven’t fully tested so far.

First one comes from StackOverflow:

And the second comes from Ryan White’s Blog, who shows a full protection against XML-RPC attacks from single connections, as it is not so effective from distributed hosts:

3) Block XML-RPC Attacks using CSF Firewall

Important: this method seems to be no longer working on latest CSF and CentOS versions. If you decide to proceed it’s not guarantteed that this may stop XML-RCP attacks on your server.

There is another server-side method (found at ConfigServer Forums) to block XML-RPC attacks using your server firewall. In this case, we will block this attack using a custom regex rule with the all mighty CSF Firewall

We will configure CSF to block the offending IP if exceeds the 10 POST or GET requests to the xml-rpc.php file in less than 3600 seconds..

Edit your regex.custom.pm file:

Close to the end of the file, you will see an empty space. That is where we are going to place our new anti-xmlrpc rule (marked in red on the next screenshot)

The rule is the following, just copy and paste:

Once you add the rule, it should look like this:

Block XML-RPC Attacks using CSF Firewall

Save the file, and edit CSF Configuration ,as you see here:

Search for this variable: CUSTOM2_LOG and set is as you see below:

Save the changes and create your log file:

Now restart CSF and LFD to apply changes:

If you need to deactivate this XML-RPC block rule, just clear the rule by editing regex.custom.pm, and after that restart csf and lfd once again.


As you see there are a few ways to Block XML-RPC Attacks on WordPress, the first options we explained on this post use a simple allow/deny for Apache and Nginx webservers, however, if you are suffering a big attack, you can enable a server-side iptables based solution using CSF Firewall.

What is your experience defending against XML-RPC web based attacks?


Manage XML-RPC


You can now disable XML-RPC to avoid Brute force attack for given IPs or can even enable access for some IPs. XML-RPC on WordPress is actually an API that gives developers who build mobile apps, desktop apps and other services, the ability to talk to a WordPress site. The XML-RPC API that WordPress provides gives developers, a way to write applications (for you) that can do many of the things that you can do when logged into WordPress via the web interface.

Block XML-RPC by following way.

  • Disable pingback.ping, pingback.extensions.getPingbacks and Unset X-Pingback from HTTP headers, that will block bots to access specified method.
  • Disable/Block XML-RPC for all users.
  • Enable XML-RPC based on IP list.
  • Disable XML-RPC based on IP list.


  • screenshot-1.png
  • screenshot-2.png


  1. Upload the plugin files to the /wp-content/plugins/ directory, or install the plugin through the WordPress plugins screen directly.
  2. Activate the plugin through the ’Plugins’ screen in WordPress
  3. Use the ’XML-RPC Settings’ screen to configure the plugin.

Vanliga frågor

Yes, it’s preferable to take a backup of existing .htaccess file.

What if .httaccess file doesn’t have writeable permission?

You can copy and paste new rule in your .htaccess file from plugin setting page.

Leave a Reply

Your email address will not be published. Required fields are marked *