{"id":599,"date":"2025-09-15T02:50:45","date_gmt":"2025-09-15T02:50:45","guid":{"rendered":"https:\/\/www.pofii.com\/blog\/?p=599"},"modified":"2025-09-15T02:51:06","modified_gmt":"2025-09-15T02:51:06","slug":"wordpress-security-hardening-xml-rpc-rate-limits-2fa","status":"publish","type":"post","link":"https:\/\/www.pofii.com\/blog\/wordpress-security-hardening-xml-rpc-rate-limits-2fa\/","title":{"rendered":"WordPress Security Hardening: XML-RPC, Rate Limits, 2FA"},"content":{"rendered":"\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 ez-toc-wrap-center counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<span class=\"ez-toc-title-toggle\"><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.pofii.com\/blog\/wordpress-security-hardening-xml-rpc-rate-limits-2fa\/#1_Reduce_the_attack_surface_handle_XML-RPC_the_right_way\" >1) Reduce the attack surface: handle XML-RPC the right way<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.pofii.com\/blog\/wordpress-security-hardening-xml-rpc-rate-limits-2fa\/#Option_A_%E2%80%94_Disable_XML-RPC_completely_safest\" >Option A \u2014 Disable XML-RPC completely (safest)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.pofii.com\/blog\/wordpress-security-hardening-xml-rpc-rate-limits-2fa\/#Option_B_%E2%80%94_Allow_only_selected_IPs\" >Option B \u2014 Allow only selected IPs<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.pofii.com\/blog\/wordpress-security-hardening-xml-rpc-rate-limits-2fa\/#Option_C_%E2%80%94_Keep_it_on_but_rate-limit_it\" >Option C \u2014 Keep it on, but rate-limit it<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.pofii.com\/blog\/wordpress-security-hardening-xml-rpc-rate-limits-2fa\/#2_Rate_limits_that_dont_break_your_site\" >2) Rate limits that don\u2019t break your site<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.pofii.com\/blog\/wordpress-security-hardening-xml-rpc-rate-limits-2fa\/#What_to_rate-limit\" >What to rate-limit<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/www.pofii.com\/blog\/wordpress-security-hardening-xml-rpc-rate-limits-2fa\/#Safe_starting_thresholds\" >Safe starting thresholds<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/www.pofii.com\/blog\/wordpress-security-hardening-xml-rpc-rate-limits-2fa\/#Where_to_set_it\" >Where to set it<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/www.pofii.com\/blog\/wordpress-security-hardening-xml-rpc-rate-limits-2fa\/#3_2FA_on_all_admin_accounts_non-negotiable\" >3) 2FA on all admin accounts (non-negotiable)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/www.pofii.com\/blog\/wordpress-security-hardening-xml-rpc-rate-limits-2fa\/#4_Lock_down_login_without_locking_out_humans\" >4) Lock down login without locking out humans<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/www.pofii.com\/blog\/wordpress-security-hardening-xml-rpc-rate-limits-2fa\/#5_Principle_of_least_privilege_roles_users_keys\" >5) Principle of least privilege (roles, users, keys)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/www.pofii.com\/blog\/wordpress-security-hardening-xml-rpc-rate-limits-2fa\/#6_Updates_plugins_and_themes_boring_but_vital\" >6) Updates, plugins, and themes (boring but vital)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/www.pofii.com\/blog\/wordpress-security-hardening-xml-rpc-rate-limits-2fa\/#7_Backups_and_a_quick_restore_drill\" >7) Backups and a quick restore drill<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/www.pofii.com\/blog\/wordpress-security-hardening-xml-rpc-rate-limits-2fa\/#8_Headers_and_server-side_basics\" >8) Headers and server-side basics<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"https:\/\/www.pofii.com\/blog\/wordpress-security-hardening-xml-rpc-rate-limits-2fa\/#9_Monitor_and_alert_noise-free\" >9) Monitor and alert (noise-free)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-16\" href=\"https:\/\/www.pofii.com\/blog\/wordpress-security-hardening-xml-rpc-rate-limits-2fa\/#Minimal_security_checklist_copypaste\" >Minimal security checklist (copy\/paste)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-17\" href=\"https:\/\/www.pofii.com\/blog\/wordpress-security-hardening-xml-rpc-rate-limits-2fa\/#FAQ\" >FAQ<\/a><\/li><\/ul><\/nav><\/div>\n<h2 class=\"wp-block-heading\" id=\"h-1-reduce-the-attack-surface-handle-xml-rpc-the-right-way\"><span class=\"ez-toc-section\" id=\"1_Reduce_the_attack_surface_handle_XML-RPC_the_right_way\"><\/span>1) Reduce the attack surface: handle <strong>XML-RPC<\/strong> the right way<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">XML-RPC powers some remote features. However, attackers often abuse it for brute force and DDoS amplification. You have three safe options. Pick the one that matches your setup.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-option-a-disable-xml-rpc-completely-safest\"><span class=\"ez-toc-section\" id=\"Option_A_%E2%80%94_Disable_XML-RPC_completely_safest\"><\/span>Option A \u2014 Disable XML-RPC completely (safest)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Use this if you do <strong>not<\/strong> need Jetpack, legacy mobile apps, or remote posting.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>.htaccess (Apache\/LiteSpeed):<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;Files \"xmlrpc.php\"&gt;\n  Require all denied\n&lt;\/Files&gt;\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>NGINX:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>location = \/xmlrpc.php { return 403; }\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-option-b-allow-only-selected-ips\"><span class=\"ez-toc-section\" id=\"Option_B_%E2%80%94_Allow_only_selected_IPs\"><\/span>Option B \u2014 Allow only selected IPs<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Use this if a known service needs XML-RPC.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>.htaccess:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;Files \"xmlrpc.php\"&gt;\n  Require ip 203.0.113.10\n  Require ip 203.0.113.11\n  Require all denied\n&lt;\/Files&gt;\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-option-c-keep-it-on-but-rate-limit-it\"><span class=\"ez-toc-section\" id=\"Option_C_%E2%80%94_Keep_it_on_but_rate-limit_it\"><\/span>Option C \u2014 Keep it on, but <strong>rate-limit<\/strong> it<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Use this when you need XML-RPC for a tool you trust.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>At the <strong>CDN<\/strong>: add a rule that rate limits <code>\/xmlrpc.php<\/code> by IP.<\/li>\n\n\n\n<li>On the <strong>server<\/strong>: use your web server or a firewall (e.g., fail2ban) to limit requests per minute.<\/li>\n<\/ul>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">Tip: If you disable XML-RPC, also check that your site\u2019s <strong>REST API<\/strong> endpoints remain accessible. Modern plugins rely on them.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-2-rate-limits-that-don-t-break-your-site\"><span class=\"ez-toc-section\" id=\"2_Rate_limits_that_dont_break_your_site\"><\/span>2) Rate limits that <strong>don\u2019t<\/strong> break your site<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Attackers hammer login and XML-RPC endpoints. Rate limiting turns the firehose into a drip.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-what-to-rate-limit\"><span class=\"ez-toc-section\" id=\"What_to_rate-limit\"><\/span>What to rate-limit<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>\/wp-login.php<\/code><\/li>\n\n\n\n<li><code>\/xmlrpc.php<\/code> (if enabled)<\/li>\n\n\n\n<li><code>\/wp-json\/wp\/v2\/*<\/code> (only if you see abuse; avoid blocking normal REST use)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-safe-starting-thresholds\"><span class=\"ez-toc-section\" id=\"Safe_starting_thresholds\"><\/span>Safe starting thresholds<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Login page<\/strong>: 10 requests \/ minute \/ IP \u2192 then block or challenge for 10 minutes.<\/li>\n\n\n\n<li><strong>XML-RPC<\/strong>: 10 requests \/ minute \/ IP \u2192 then block or challenge for 10 minutes.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-where-to-set-it\"><span class=\"ez-toc-section\" id=\"Where_to_set_it\"><\/span>Where to set it<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Cloudflare or your CDN<\/strong>: Use <strong>Rate Limiting \/ Rules<\/strong>. Challenge first, then block on repeat.<\/li>\n\n\n\n<li><strong>LiteSpeed\/Apache<\/strong>: <code>mod_security<\/code>\/<code>mod_evasive<\/code> or a WAF profile.<\/li>\n\n\n\n<li><strong>Server firewall<\/strong>: Use fail2ban with a regex that watches access logs for these paths.<\/li>\n<\/ul>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">Need a refresher on CDN setup? See: <a href=\"https:\/\/www.pofii.com\/blog\/what-is-cloudflare-and-how-to-get-maximum-out-of-it\/\">Cloudflare settings that actually speed things up<\/a>.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-3-2fa-on-all-admin-accounts-non-negotiable\"><span class=\"ez-toc-section\" id=\"3_2FA_on_all_admin_accounts_non-negotiable\"><\/span>3) <strong>2FA<\/strong> on all admin accounts (non-negotiable)<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Passwords leak. Two-factor stops most account takeovers.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enable <strong>2FA<\/strong> for all users with <strong>Administrator<\/strong> and <strong>Editor<\/strong> roles.<\/li>\n\n\n\n<li>Support <strong>TOTP<\/strong> apps (Authy, Google Authenticator) or <strong>passkeys<\/strong> if your stack supports them.<\/li>\n\n\n\n<li>Keep <strong>one backup code<\/strong> per user in a safe place.<\/li>\n\n\n\n<li>Enforce <strong>strong passwords<\/strong> and <strong>no password reuse<\/strong>.<\/li>\n<\/ul>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">Roll it out in phases. Start with site owners. Then editors. Then remaining staff.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-4-lock-down-login-without-locking-out-humans\"><span class=\"ez-toc-section\" id=\"4_Lock_down_login_without_locking_out_humans\"><\/span>4) Lock down <strong>login<\/strong> without locking out humans<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Small tweaks make brute force expensive.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Rename or protect<\/strong> <code>\/wp-login.php<\/code>: a custom login URL frustrates basic bots.<\/li>\n\n\n\n<li>Add a <strong>CAPTCHA or challenge<\/strong> after 3\u20135 failed attempts.<\/li>\n\n\n\n<li>Limit <strong>concurrent sessions<\/strong> per user.<\/li>\n\n\n\n<li>Auto-log out inactive sessions after 24 hours (or less for high-risk roles).<\/li>\n\n\n\n<li>Disable <strong>XML-RPC authentication<\/strong> if you don\u2019t need it.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-5-principle-of-least-privilege-roles-users-keys\"><span class=\"ez-toc-section\" id=\"5_Principle_of_least_privilege_roles_users_keys\"><\/span>5) Principle of least privilege (roles, users, keys)<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Keep access tight. Mistakes shrink when blast radius is small.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Give each person the <strong>lowest role<\/strong> that lets them work.<\/li>\n\n\n\n<li>Remove <strong>old admins<\/strong> and <strong>stale accounts<\/strong>.<\/li>\n\n\n\n<li>Use a <strong>separate admin account<\/strong> for maintenance. Do daily work as Editor.<\/li>\n\n\n\n<li>Rotate <strong>application passwords<\/strong>, <strong>API keys<\/strong>, and <strong>salts<\/strong> on schedule.<\/li>\n\n\n\n<li>Store secrets outside the repo. Use environment variables.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-6-updates-plugins-and-themes-boring-but-vital\"><span class=\"ez-toc-section\" id=\"6_Updates_plugins_and_themes_boring_but_vital\"><\/span>6) Updates, plugins, and themes (boring but vital)<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Old code is low-hanging fruit for attackers.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Update <strong>WordPress core<\/strong>, <strong>themes<\/strong>, and <strong>plugins<\/strong> weekly.<\/li>\n\n\n\n<li>Remove plugins you <strong>do not<\/strong> use. Fewer plugins = fewer risks.<\/li>\n\n\n\n<li>Prefer <strong>maintained<\/strong> plugins with active updates.<\/li>\n\n\n\n<li>Avoid \u201call-in-one\u201d mega plugins unless you really need them.<\/li>\n\n\n\n<li>Test updates on a <strong>staging<\/strong> site first. Then deploy.<\/li>\n\n\n\n<li>See our <strong>staging \u2192 production<\/strong> checklist when it ships.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-7-backups-and-a-quick-restore-drill\"><span class=\"ez-toc-section\" id=\"7_Backups_and_a_quick_restore_drill\"><\/span>7) Backups and a quick <strong>restore drill<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Security is not only prevention. Recovery matters.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Keep <strong>daily off-site backups<\/strong> (files + database).<\/li>\n\n\n\n<li>Retention: at least <strong>7\u201314 days<\/strong>.<\/li>\n\n\n\n<li>Do a <strong>monthly restore drill<\/strong> to verify you can recover fast.<\/li>\n\n\n\n<li>After a restore, <strong>rotate passwords and keys<\/strong>.<\/li>\n\n\n\n<li>If you move hosts, use a clean cutover:\n<ul class=\"wp-block-list\">\n<li>Zero-downtime guide: <a href=\"https:\/\/www.pofii.com\/blog\/zero-downtime-website-migration-the-dns-ttl-playbook\/\">DNS TTL Playbook<\/a><\/li>\n\n\n\n<li>Full walkthrough: <a href=\"https:\/\/www.pofii.com\/blog\/how-to-migrate-website-to-new-host-ditch-slow-host-now\/\">Migrate to a faster host<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-8-headers-and-server-side-basics\"><span class=\"ez-toc-section\" id=\"8_Headers_and_server-side_basics\"><\/span>8) Headers and server-side basics<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Small headers create big friction for attackers.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Force HTTPS<\/strong>. Add HSTS after you confirm all assets load over HTTPS.<\/li>\n\n\n\n<li>Set <strong>X-Frame-Options: SAMEORIGIN<\/strong> unless you need framing.<\/li>\n\n\n\n<li>Set <strong>X-Content-Type-Options: nosniff<\/strong>.<\/li>\n\n\n\n<li>Add <strong>Content-Security-Policy (CSP)<\/strong> in <strong>report-only<\/strong> first. Then enforce gradually.<\/li>\n\n\n\n<li>On LiteSpeed, keep <strong>HTTP\/3<\/strong> and <strong>Brotli<\/strong> on for speed and smaller attack surface per request.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-9-monitor-and-alert-noise-free\"><span class=\"ez-toc-section\" id=\"9_Monitor_and_alert_noise-free\"><\/span>9) Monitor and alert (noise-free)<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">You cannot fix what you do not see.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Watch for <strong>login failures<\/strong>, <strong>file changes<\/strong>, and <strong>spikes<\/strong> on <code>\/wp-login.php<\/code> and <code>\/xmlrpc.php<\/code>.<\/li>\n\n\n\n<li>Send <strong>email or Slack alerts<\/strong> for critical events only.<\/li>\n\n\n\n<li>Keep logs for <strong>at least 7 days<\/strong>.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-minimal-security-checklist-copy-paste\"><span class=\"ez-toc-section\" id=\"Minimal_security_checklist_copypaste\"><\/span>Minimal security checklist (copy\/paste)<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Disable or rate-limit <strong>XML-RPC<\/strong><\/li>\n\n\n\n<li>Rate-limit <strong>\/wp-login.php<\/strong> at CDN or WAF<\/li>\n\n\n\n<li>Enforce <strong>2FA<\/strong> for Admins\/Editors<\/li>\n\n\n\n<li>Strong passwords, session limits, CAPTCHA after fails<\/li>\n\n\n\n<li>Least privilege roles; remove stale users<\/li>\n\n\n\n<li>Weekly updates; remove unused plugins\/themes<\/li>\n\n\n\n<li>Daily <strong>off-site backups<\/strong>; monthly restore drill<\/li>\n\n\n\n<li>HTTPS, HSTS, security headers; start CSP in report-only<\/li>\n\n\n\n<li>Monitor logins and spikes; alert on critical events<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-faq\"><span class=\"ez-toc-section\" id=\"FAQ\"><\/span>FAQ<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Should I disable XML-RPC or just rate-limit it?<\/strong><br>If you do not use it, <strong>disable<\/strong> it. If you must keep it, <strong>rate-limit<\/strong> it and allow only trusted IPs.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Will rate limits block real users?<\/strong><br>Not if you set sane thresholds. Challenge first. Block only after repeated abuse.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Is 2FA overkill for small sites?<\/strong><br>No. 2FA blocks most account takeovers. It is the highest-ROI control you can add.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Do security plugins replace a WAF or CDN rules?<\/strong><br>They help, but they do not replace network-level protection. Use both when possible.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p class=\"wp-block-paragraph\">Want this done for you? On Pofii, we pair <strong>Pofii-Tuned LiteSpeed<\/strong>, strict rate limits, and fast edges with a hands-on rollout: XML-RPC policy, 2FA setup, and a working restore drill. You get speed <strong>and<\/strong> sane security\u2014without breaking logins or checkouts.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Security does not have to be complex. You can block the most common attacks with a few focused steps. This guide shows fast, safe wins you can apply today. It works on any host. It shines on LiteSpeed and Cloudflare. And yes\u2014on Pofii\u2019s Pofii-Tuned LiteSpeed stack, most of this plays nicely out of the box.<\/p>\n","protected":false},"author":5,"featured_media":605,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,4],"tags":[35,188],"class_list":["post-599","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hosting","category-wordpress","tag-security","tag-wordpress"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v25.9 (Yoast SEO v25.9) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>WordPress Security Hardening: XML-RPC, Rate Limits, 2FA - Pofii Insights<\/title>\n<meta name=\"description\" content=\"Harden WordPress in minutes\u2014disable or rate-limit XML-RPC, enforce 2FA, smart login limits, least-privilege roles, regular updates, and safe backups.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.pofii.com\/blog\/wordpress-security-hardening-xml-rpc-rate-limits-2fa\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"WordPress Security Hardening: XML-RPC, Rate Limits, 2FA\" \/>\n<meta property=\"og:description\" content=\"Harden WordPress in minutes\u2014disable or rate-limit XML-RPC, enforce 2FA, smart login limits, least-privilege roles, regular updates, and safe backups.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.pofii.com\/blog\/wordpress-security-hardening-xml-rpc-rate-limits-2fa\/\" \/>\n<meta property=\"og:site_name\" content=\"Pofii Insights\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/PofiiCOM\" \/>\n<meta property=\"article:published_time\" content=\"2025-09-15T02:50:45+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-09-15T02:51:06+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.pofii.com\/blog\/wp-content\/uploads\/2025\/09\/programming-background-with-html-scaled.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"2560\" \/>\n\t<meta property=\"og:image:height\" content=\"1708\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"John Cavil\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@PofiiGlobal\" \/>\n<meta name=\"twitter:site\" content=\"@PofiiGlobal\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"John Cavil\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"TechArticle\",\"@id\":\"https:\/\/www.pofii.com\/blog\/wordpress-security-hardening-xml-rpc-rate-limits-2fa\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.pofii.com\/blog\/wordpress-security-hardening-xml-rpc-rate-limits-2fa\/\"},\"author\":{\"name\":\"John Cavil\",\"@id\":\"https:\/\/www.pofii.com\/blog\/#\/schema\/person\/82dd56bd4b7d1ae512907145b3a68873\"},\"headline\":\"WordPress Security Hardening: XML-RPC, Rate Limits, 2FA\",\"datePublished\":\"2025-09-15T02:50:45+00:00\",\"dateModified\":\"2025-09-15T02:51:06+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.pofii.com\/blog\/wordpress-security-hardening-xml-rpc-rate-limits-2fa\/\"},\"wordCount\":863,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.pofii.com\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.pofii.com\/blog\/wordpress-security-hardening-xml-rpc-rate-limits-2fa\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.pofii.com\/blog\/wp-content\/uploads\/2025\/09\/programming-background-with-html-scaled.jpg\",\"keywords\":[\"Security\",\"WordPress\"],\"articleSection\":[\"Hosting Tips &amp; Tricks\",\"WordPress Mastery\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.pofii.com\/blog\/wordpress-security-hardening-xml-rpc-rate-limits-2fa\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.pofii.com\/blog\/wordpress-security-hardening-xml-rpc-rate-limits-2fa\/\",\"url\":\"https:\/\/www.pofii.com\/blog\/wordpress-security-hardening-xml-rpc-rate-limits-2fa\/\",\"name\":\"WordPress Security Hardening: XML-RPC, Rate Limits, 2FA - Pofii Insights\",\"isPartOf\":{\"@id\":\"https:\/\/www.pofii.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.pofii.com\/blog\/wordpress-security-hardening-xml-rpc-rate-limits-2fa\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.pofii.com\/blog\/wordpress-security-hardening-xml-rpc-rate-limits-2fa\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.pofii.com\/blog\/wp-content\/uploads\/2025\/09\/programming-background-with-html-scaled.jpg\",\"datePublished\":\"2025-09-15T02:50:45+00:00\",\"dateModified\":\"2025-09-15T02:51:06+00:00\",\"description\":\"Harden WordPress in minutes\u2014disable or rate-limit XML-RPC, enforce 2FA, smart login limits, least-privilege roles, regular updates, and safe backups.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.pofii.com\/blog\/wordpress-security-hardening-xml-rpc-rate-limits-2fa\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.pofii.com\/blog\/wordpress-security-hardening-xml-rpc-rate-limits-2fa\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.pofii.com\/blog\/wordpress-security-hardening-xml-rpc-rate-limits-2fa\/#primaryimage\",\"url\":\"https:\/\/www.pofii.com\/blog\/wp-content\/uploads\/2025\/09\/programming-background-with-html-scaled.jpg\",\"contentUrl\":\"https:\/\/www.pofii.com\/blog\/wp-content\/uploads\/2025\/09\/programming-background-with-html-scaled.jpg\",\"width\":2560,\"height\":1708,\"caption\":\"wordpress security\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.pofii.com\/blog\/wordpress-security-hardening-xml-rpc-rate-limits-2fa\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/nl.pofii.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"WordPress Security Hardening: XML-RPC, Rate Limits, 2FA\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.pofii.com\/blog\/#website\",\"url\":\"https:\/\/www.pofii.com\/blog\/\",\"name\":\"Pofii\",\"description\":\"Success Simplified.\",\"publisher\":{\"@id\":\"https:\/\/www.pofii.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.pofii.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.pofii.com\/blog\/#organization\",\"name\":\"Pofii\",\"url\":\"https:\/\/www.pofii.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.pofii.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.pofii.com\/blog\/wp-content\/uploads\/2024\/12\/cropped-cropped-pofiiinsights-2.png\",\"contentUrl\":\"https:\/\/www.pofii.com\/blog\/wp-content\/uploads\/2024\/12\/cropped-cropped-pofiiinsights-2.png\",\"width\":2079,\"height\":221,\"caption\":\"Pofii\"},\"image\":{\"@id\":\"https:\/\/www.pofii.com\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/PofiiCOM\",\"https:\/\/x.com\/PofiiGlobal\",\"https:\/\/www.instagram.com\/PofiiGlobal\",\"https:\/\/www.linkedin.com\/company\/Pofii\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.pofii.com\/blog\/#\/schema\/person\/82dd56bd4b7d1ae512907145b3a68873\",\"name\":\"John Cavil\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.pofii.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/www.pofii.com\/brand\/logo-icon-circle-friendly.png\",\"contentUrl\":\"https:\/\/www.pofii.com\/brand\/logo-icon-circle-friendly.png\",\"caption\":\"John Cavil\"},\"description\":\"WordPress Expert, Head of technical support at Pofii Ltd.\",\"sameAs\":[\"https:\/\/www.pofii.com\/blog\/author\/JohnC\"],\"url\":\"https:\/\/www.pofii.com\/blog\/author\/johnc\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"WordPress Security Hardening: XML-RPC, Rate Limits, 2FA - Pofii Insights","description":"Harden WordPress in minutes\u2014disable or rate-limit XML-RPC, enforce 2FA, smart login limits, least-privilege roles, regular updates, and safe backups.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.pofii.com\/blog\/wordpress-security-hardening-xml-rpc-rate-limits-2fa\/","og_locale":"en_US","og_type":"article","og_title":"WordPress Security Hardening: XML-RPC, Rate Limits, 2FA","og_description":"Harden WordPress in minutes\u2014disable or rate-limit XML-RPC, enforce 2FA, smart login limits, least-privilege roles, regular updates, and safe backups.","og_url":"https:\/\/www.pofii.com\/blog\/wordpress-security-hardening-xml-rpc-rate-limits-2fa\/","og_site_name":"Pofii Insights","article_publisher":"https:\/\/www.facebook.com\/PofiiCOM","article_published_time":"2025-09-15T02:50:45+00:00","article_modified_time":"2025-09-15T02:51:06+00:00","og_image":[{"width":2560,"height":1708,"url":"https:\/\/www.pofii.com\/blog\/wp-content\/uploads\/2025\/09\/programming-background-with-html-scaled.jpg","type":"image\/jpeg"}],"author":"John Cavil","twitter_card":"summary_large_image","twitter_creator":"@PofiiGlobal","twitter_site":"@PofiiGlobal","twitter_misc":{"Written by":"John Cavil","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"TechArticle","@id":"https:\/\/www.pofii.com\/blog\/wordpress-security-hardening-xml-rpc-rate-limits-2fa\/#article","isPartOf":{"@id":"https:\/\/www.pofii.com\/blog\/wordpress-security-hardening-xml-rpc-rate-limits-2fa\/"},"author":{"name":"John Cavil","@id":"https:\/\/www.pofii.com\/blog\/#\/schema\/person\/82dd56bd4b7d1ae512907145b3a68873"},"headline":"WordPress Security Hardening: XML-RPC, Rate Limits, 2FA","datePublished":"2025-09-15T02:50:45+00:00","dateModified":"2025-09-15T02:51:06+00:00","mainEntityOfPage":{"@id":"https:\/\/www.pofii.com\/blog\/wordpress-security-hardening-xml-rpc-rate-limits-2fa\/"},"wordCount":863,"commentCount":0,"publisher":{"@id":"https:\/\/www.pofii.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.pofii.com\/blog\/wordpress-security-hardening-xml-rpc-rate-limits-2fa\/#primaryimage"},"thumbnailUrl":"https:\/\/www.pofii.com\/blog\/wp-content\/uploads\/2025\/09\/programming-background-with-html-scaled.jpg","keywords":["Security","WordPress"],"articleSection":["Hosting Tips &amp; Tricks","WordPress Mastery"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.pofii.com\/blog\/wordpress-security-hardening-xml-rpc-rate-limits-2fa\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.pofii.com\/blog\/wordpress-security-hardening-xml-rpc-rate-limits-2fa\/","url":"https:\/\/www.pofii.com\/blog\/wordpress-security-hardening-xml-rpc-rate-limits-2fa\/","name":"WordPress Security Hardening: XML-RPC, Rate Limits, 2FA - Pofii Insights","isPartOf":{"@id":"https:\/\/www.pofii.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.pofii.com\/blog\/wordpress-security-hardening-xml-rpc-rate-limits-2fa\/#primaryimage"},"image":{"@id":"https:\/\/www.pofii.com\/blog\/wordpress-security-hardening-xml-rpc-rate-limits-2fa\/#primaryimage"},"thumbnailUrl":"https:\/\/www.pofii.com\/blog\/wp-content\/uploads\/2025\/09\/programming-background-with-html-scaled.jpg","datePublished":"2025-09-15T02:50:45+00:00","dateModified":"2025-09-15T02:51:06+00:00","description":"Harden WordPress in minutes\u2014disable or rate-limit XML-RPC, enforce 2FA, smart login limits, least-privilege roles, regular updates, and safe backups.","breadcrumb":{"@id":"https:\/\/www.pofii.com\/blog\/wordpress-security-hardening-xml-rpc-rate-limits-2fa\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.pofii.com\/blog\/wordpress-security-hardening-xml-rpc-rate-limits-2fa\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.pofii.com\/blog\/wordpress-security-hardening-xml-rpc-rate-limits-2fa\/#primaryimage","url":"https:\/\/www.pofii.com\/blog\/wp-content\/uploads\/2025\/09\/programming-background-with-html-scaled.jpg","contentUrl":"https:\/\/www.pofii.com\/blog\/wp-content\/uploads\/2025\/09\/programming-background-with-html-scaled.jpg","width":2560,"height":1708,"caption":"wordpress security"},{"@type":"BreadcrumbList","@id":"https:\/\/www.pofii.com\/blog\/wordpress-security-hardening-xml-rpc-rate-limits-2fa\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/nl.pofii.com\/blog\/"},{"@type":"ListItem","position":2,"name":"WordPress Security Hardening: XML-RPC, Rate Limits, 2FA"}]},{"@type":"WebSite","@id":"https:\/\/www.pofii.com\/blog\/#website","url":"https:\/\/www.pofii.com\/blog\/","name":"Pofii","description":"Success Simplified.","publisher":{"@id":"https:\/\/www.pofii.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.pofii.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.pofii.com\/blog\/#organization","name":"Pofii","url":"https:\/\/www.pofii.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.pofii.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.pofii.com\/blog\/wp-content\/uploads\/2024\/12\/cropped-cropped-pofiiinsights-2.png","contentUrl":"https:\/\/www.pofii.com\/blog\/wp-content\/uploads\/2024\/12\/cropped-cropped-pofiiinsights-2.png","width":2079,"height":221,"caption":"Pofii"},"image":{"@id":"https:\/\/www.pofii.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/PofiiCOM","https:\/\/x.com\/PofiiGlobal","https:\/\/www.instagram.com\/PofiiGlobal","https:\/\/www.linkedin.com\/company\/Pofii"]},{"@type":"Person","@id":"https:\/\/www.pofii.com\/blog\/#\/schema\/person\/82dd56bd4b7d1ae512907145b3a68873","name":"John Cavil","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.pofii.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/www.pofii.com\/brand\/logo-icon-circle-friendly.png","contentUrl":"https:\/\/www.pofii.com\/brand\/logo-icon-circle-friendly.png","caption":"John Cavil"},"description":"WordPress Expert, Head of technical support at Pofii Ltd.","sameAs":["https:\/\/www.pofii.com\/blog\/author\/JohnC"],"url":"https:\/\/www.pofii.com\/blog\/author\/johnc\/"}]}},"_links":{"self":[{"href":"https:\/\/www.pofii.com\/blog\/wp-json\/wp\/v2\/posts\/599","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.pofii.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.pofii.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.pofii.com\/blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/www.pofii.com\/blog\/wp-json\/wp\/v2\/comments?post=599"}],"version-history":[{"count":1,"href":"https:\/\/www.pofii.com\/blog\/wp-json\/wp\/v2\/posts\/599\/revisions"}],"predecessor-version":[{"id":606,"href":"https:\/\/www.pofii.com\/blog\/wp-json\/wp\/v2\/posts\/599\/revisions\/606"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.pofii.com\/blog\/wp-json\/wp\/v2\/media\/605"}],"wp:attachment":[{"href":"https:\/\/www.pofii.com\/blog\/wp-json\/wp\/v2\/media?parent=599"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.pofii.com\/blog\/wp-json\/wp\/v2\/categories?post=599"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.pofii.com\/blog\/wp-json\/wp\/v2\/tags?post=599"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}