Overview
WordPress exposes several endpoints and behaviors that can be exploited by attackers. These security options harden your site against common attack vectors. All three options are enabled by default.
Disable XML-RPC
Default: On
XML-RPC is a legacy remote procedure call system that allows external applications to communicate with WordPress. It is one of the most commonly exploited attack surfaces on WordPress sites, frequently used for brute-force login attempts and DDoS amplification attacks.
Enabling this option:
- Disables the XML-RPC interface entirely
- Removes the
X-PingbackHTTP header - Disables all XML-RPC methods
Important: If you use the WordPress mobile app, Jetpack, or any third-party service that connects via XML-RPC, you will need to keep this disabled. Most modern integrations use the REST API instead.
Block User Enumeration
Default: On
User enumeration is a technique attackers use to discover valid usernames on your site. Once they have a username, they can attempt brute-force password attacks against it.
This option blocks two common enumeration methods:
- Author archive scanning: Blocks requests to
?author=1,?author=2, etc., which normally redirect to a URL containing the username. - REST API user listing: Removes the
/wp/v2/usersendpoint for unauthenticated requests, preventing automated scraping of user data.
Logged-in administrators can still access user data normally.
Obfuscate Login Errors
Default: On
By default, WordPress login errors reveal whether a username exists (“Unknown username”) or whether the password was wrong (“The password you entered is incorrect”). This information helps attackers narrow down valid credentials.
When enabled, all login errors are replaced with a generic message: “Invalid username or password.” This prevents attackers from determining which part of the credentials is incorrect.
