If you’re Googling something like “why are my WordPress server processes and RAM maxed out?” and landed here, here’s the quick version.
XML-RPC (xmlrpc.php in WordPress) is a legacy protocol that allows remote procedure calls — basically, it lets external applications communicate with your WordPress site.
It blows my mind that this is still around in 2026 — and even more that it’s still enabled by default, especially after the core team removed the easy toggle to disable it a few years back.
Here’s the problem: XML-RPC is one of the most abused attack vectors in WordPress. It’s a favorite for:
- Brute-force attacks (testing thousands of passwords in a single request)
- Amplified DDoS attacks
- Resource exhaustion that leads to maxed-out CPU, PHP workers, and RAM
If you’re seeing “server processes maxed” errors, xmlrpc.php is often one of the first things to check.
For most sites, there’s absolutely no reason to leave it exposed. The only real use cases are the WordPress mobile app or certain legacy integrations like Jetpack — and even then, you should seriously reconsider. The WordPress REST API has largely replaced XML-RPC and is significantly more modern and secure.
Block it. Disable it at the server level. Move on.
And while you’re tightening things up, install a reputable security plugin like Wordfence.
Add to your .htaccess
# Block WordPress xmlrpc.php requests
order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx
Add to your functions.php
add_filter('xmlrpc_enabled', '__return_false');
Add to your wp-config.php
define('XMLRPC_REQUEST', false);
After this, install a fresh copy of WordPress and your theme to make sure nothing was remotely modified or hacked.
Also, check your comments. Usually these attacked insert thousands of spam comments into your database. Install a plugin like “disable comments” and bulk delete them all.
