By using’s services you agree to our Cookies Use and Data Transfer outside the EU.
We and our partners operate globally and use cookies, including for analytics, personalisation, ads and Newsletters.

  • Join the Best Wordpress and Elementor Support forum

    Provide or get advice on everything Elementor and Wordpress, ask questions, gain confirmation or just become apart of a friendly, like minded community who love Wordpress and Elementor

    Join us!
elementor official

Wordfence plugin (free version) - flagged traffic hitting remote access feature /xmlrpc-php. You might want to check this out.



New Member
I see there is a security forum on this site, and I see this may be the first post!

I am sharing this so that it might help head off any issues for other elementors out fighting the good fight.

I have always installed wordfence plugin (free version only) on WP installs, to give some extra site protection (there is a lot you can do at the terminal/server level but some may not be too comfy with that or are at varying levels of comfort.)

I had not looked at the live traffic readout in wordfence on a current dev project, but I am sure glad I did.

First thing that I noticed that this (dev) WP install was getting a lot more traffic than I expected to the top level domain.

This sit in development had password protection in place (via plugin),meaning no traffic should be able to see the admin login or any other part of the site itself - yet it sure was getting a lot of traffic that wordfence was flagging as amber but mostly RED.

It was also a lot more compared to other WP installs, which were fully live sites.

In this instance, this may be due to the particular host and package used in this install.

So then I drilled down into some of the live traffic captured and displayed by wordfence, and so much of the traffic was trying to hit this url in on e way or another


Aquick search for /xmlrpc-php brought me to this page which explained a lot:

A good rea, maybe a vital read for all -

It turns out this is a remote access feature in WP since 3.5, you probably do not use it but it seems it's a primary goto weak point for all those hacker/bots out there sniffing around.

You can use a plugin per the link above or change the code, to disable it, and you can then check it's not available on your site but using this link (as per the previous woengine link)

You might think, why not dev locally, i.e. offline, tbh, it saves a few steps down the line, and it was not a client site in the first instance, nor was it too complex, mainly static, not even a contact form.

Them main thing here is wordfence was blocking these attempts, but xml-rpc-php was still live on the WP installation - so I used the plugin to disable it and tested it. All seemed good. It was not available.

I am not shilling for wrodfence, but you can see how it is covering your ass in a major way with jsut the free versions of the plugin, so big benefits (with no noticeable hit to performance, not tested dit yet but on usage all is snappy),there may be better plugins out there. I look forward to any recommendations from other users.

In summary, if you are not really up on the technical side of potential traffic threats and internet baddies lurking in cyberspace, or you have never actually given it too much thought, perhaps at least install a plugin like wordfence to reduce you chances of you site being hacked and causing you all kinds of woe and mayhem.

One final note - On the point of hosting, it may be the other installs I have on WP, which are on more dedicated or tailored WP hosting packages, may have better dedicated WP monitoring systems in place to protect there server farms of virtual wp deployment overall and thus this might explain why these live sites, show less beligerent traffic in the wordfence live traffic feed, but this is a guess on my part - so good hosting choices, may also be part of your security approach too when considering where to put a client site.
Last edited:

Latest Resources

Other Elementor Resources

elementor official