Your WordPress site may be more exposed than you realize. Strong WordPress Security isn’t just about passwords and updates, features like XML-RPC, PHP execution, and file integrity can also create risks if left unchecked. Securing these areas helps protect your website from common threats.
I have lost count of how many times I have seen a fresh WordPress install get compromised within days of going live. Not because the owner was careless, but because the defaults are built for convenience, not security.
ServerAvatar’s WordPress Toolkit puts three powerful security controls right in front of you, no config files, no command line, no guesswork. Block XML-RPC requests, stop PHP from running in your uploads directory, and verify your core files against WordPress.org’s checksums.
This guide walks through all three. I will explain what each one does, why it matters, and when you’d actually flip the switch on or off. Let’s get into it.
TL;DR
- Block XML-RPC if you’re not using the WordPress mobile app or Jetpack
- Block PHP execution in uploads, this stops the most common attack path for uploaded malware
- Verify checksums to catch any core files that have been modified without you knowing
- All three are in ServerAvatar’s WordPress Toolkit Security section, no config files needed
- These are layered defenses, one alone isn’t enough, but all three together make a real difference
Why WordPress Security Deserves Your Attention
WordPress runs over 40% of websites, which makes it a constant target. Attackers don’t need new tricks, they reuse the same known entry points across many sites.
Most hacks usually happen in a few ways:
- Brute-force login attempts (often via xmlrpc.php)
- Malicious files were uploaded and later executed
- Core WordPress files are being modified through a vulnerability
These mentioned settings lowers the risk by shutting the main entry points that attackers typically target.
Block XML-RPC Requests
What is XML-RPC?
XML-RPC (xmlrpc.php) is a WordPress feature that allows external apps like the mobile app, Jetpack, and other tools to connect and interact with your site.
The concern is that attackers can also take advantage of it. It includes a method called system.multicall, which allows multiple password attempts in a single request, making brute-force attacks faster and harder to detect than normal login attempts.
If you notice POST requests to xmlrpc.php in your logs, it’s often a sign of automated login attacks targeting this endpoint.
How to Block XML-RPC in ServerAvatar’s WordPress Toolkit
Here’s how you can disable it using ServerAvatar:
- Log in to your ServerAvatar account and navigate to the server panel.
- Go to Applications, then click on your dashboard icon for your WordPress application.
Here’s how you can disable it using ServerAvatar:
- Log in to your ServerAvatar account and navigate to the server panel.
- Go to Applications, then click on your dashboard icon for your WordPress application.
Open WP Toolkit from left sidebar and go to the Security section.
Find the “Block XML-RPC Requests”
Once enabled, the status will change from Allowed to Blocked, meaning XML-RPC requests, pingbacks, and remote access calls will no longer work on your site.
Read Full Article: https://serveravatar.com/speed-up-wordpress-with-object-cache-pro-2/
Top comments (0)