Control XML-RPC Access (WebUI Method)
- Log into cPFence WebUI and choose the server.
- Open Tools & Utilities ➜ WP-AutoShield Bulk Tools.
- Select Disable XML-RPC to block the endpoint with a 403, or Enable XML-RPC when remote apps require it.
- Confirm the action; the UI propagates the change to all detected sites (or just the subset you selected).
- Review the streamed log for any site that needs manual intervention.
Disable XML-RPC to reduce brute-force and amplification attacks while still allowing selective re-enablement.
Tip: Ensure autoshield_disable_wp_xmlrpc is set to ‘Off’ in the Settings page (if it’s currently on), or WP-AutoShield will automatically re-disable it during the next 6:10 AM run.
Command Line (CLI) Method
- SSH into the server.
- Disable XML-RPC globally:
cpfence --bulk-disable-wp-xmlrpc - Enable XML-RPC when integrations need it:
cpfence --bulk-enable-wp-xmlrpc
Remember to re-enable WP login protections if you grant XML-RPC access for mobile editors.
Need Further Assistance?
Visit our Knowledgebase or contact our support team for help.
