XML-RPC is a legacy WordPress endpoint that enables remote publishing and pingbacks. It’s also a common brute-force and DDoS vector. Unless you’re using Jetpack or a remote publishing workflow that requires it, block it entirely at the Nginx level before it ever reaches PHP.
# Deny XML-RPC
location = /xmlrpc.php {
deny all;
access_log off;
log_not_found off;
}Why at Nginx, not WordPress?
A plugin-based block (like disabling XML-RPC via add_filter('xmlrpc_enabled', '__return_false')) still bootstraps WordPress for every request. Blocking at Nginx returns a 403 immediately, saving PHP execution time and reducing load under brute-force conditions.
Apache equivalent
If you’re on Apache, add the following to your .htaccess:
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>Cloudflare WAF rule
If you’re behind Cloudflare, you can also create a WAF custom rule to block requests where URI Path equals /xmlrpc.php with action Block. This stops the request before it hits your origin server entirely.