XML-RPC is a feature of WordPress that enables data to be transmitted, with HTTP acting as the transport mechanism and XML as the encoding mechanism.

Since WordPress is not a self-enclosed system and occasionally needs to communicate with other systems, this was sought to handle that job.

The biggest issues with XML-RPC are the security concerns that arise. The issues aren’t with XML-RPC directly, but instead how the file can be used to enable a brute force attack on your site.

The are two main weaknesses to XML-RPC are:

1. Using brute force attacks to gain entry to your site.
   • An attacker will try to access your site using xmlrpc.php by using various username and password combinations.
   • They can effectively use a single command to test hundreds of different passwords.
   • This allows them to bypass security tools that typically detect and block brute force attacks.
2. The second was taking sites offline through a DDoS attack.
   • Hackers would use the pingback feature in WordPress to send pingbacks to thousands of sites instantaneously.
   • This feature in xmlrpc.php gives hackers a nearly endless supply of IP addresses to distribute a DDoS attack over.