At PrenHost, we continuously work to improve the security and performance of our shared hosting infrastructure.
One common target for brute-force attacks and spam requests on WordPress websites is the xmlrpc.php endpoint. While XML-RPC was once widely used for remote publishing and mobile app connectivity, most modern WordPress websites no longer require it.
To reduce abusive traffic and improve server stability, we have implemented a global XML-RPC protection layer across our shared hosting servers powered by LiteSpeed, CloudLinux, and WHM/cPanel.
What We Changed
We now block direct access to xmlrpc.php at the web server level using LiteSpeed-compatible Apache rules:
<FilesMatch "xmlrpc\.php$">
Require all denied
</FilesMatch>
Benefits
- Better protection against WordPress brute-force attacks
- Reduced XML-RPC flood and multicall abuse
- Lower server resource usage
- Improved shared hosting stability
- Faster response handling through LiteSpeed Web Server
Is It Safe?
Yes — for most websites this is completely safe. Modern WordPress features use the REST API instead of XML-RPC.
However, some services may still require XML-RPC, including:
- Jetpack
- WordPress Mobile App
- Some third-party remote publishing tools
If you require XML-RPC access for your website, our support team can help you enable it selectively.
At PrenHost, we focus on proactive security and optimized hosting performance for all customers.