<![CDATA[WordPress provides an XML-RPC feature through the xmlrpc.php file for external communication. However, this filter is often exploited as a brute-force attack vulnerability because it supports system.multicall, which allows multiple login attempts in a single request. This study analyzed brute-force attacks against xmlrpc.php through simulations in a local environment using WPscan and a Python script called lokoscannerX_ver1. Testing was conducted using two scenarios: WordPress without security and WordPress with security using the Disable XML-RPC plugin and .htaccess file configuration. The results showed that WordPress without security was easily attacked and overloaded the virtual server on the test environment. Meanwhile, after implementing the Disable XML-RPC plugin, attacks were blocked and prevented, while the .htaccess configuration only blocked execution but still allowed user information to be detected. This study emphasizes the importance of disabling XML-RPC as a basic WordPress security measure.]]>
Copyrights © 2025
