Quick tip for BBQ Pro users. You may have heard about the various ways that bad actors can attack the WordPress xmlrpc.php file. Here are a couple of examples for those who may be unfamiliar. To help protect against xmlrpc.php attacks, you can add a simple rule to BBQ Pro’s custom firewall patterns. This tutorial explains how to do it in 10 seconds or less.

Important: Do not implement this technique if your site for some reason actually uses the xmlrpc.php file. In my experience most sites never use it, but there are exceptions. If in doubt, do some research: there are tons of posts about “WordPress xml-rpc” out there, as well as the official xml-rpc documentation at the WordPress Codex.

Protect against xml-rpc attacks

Here are the steps to block all requests for the WordPress xmlrpc.php file:

  1. Visit the BBQ Pro settings and enable “Custom Rules”
  2. Visit the BBQ Pro Custom Firewall rules
  3. In the “Request URI” section, click “Add Pattern”
  4. Enter “xmlrpc.php” and save changes
  5. Done!

After saving the changes, you can test that the file is blocked from all access by clicking the “Test” button next to the firewall rule.