I'm receiving a 403 error when accessing Wordpress' XMLRPC or Jetpack

Over the last few months we have seen a significant increase in attacks made against Wordpress, in particular via the XMLRPC.php file included within Wordpress. This file can be used to brute force credentials against Wordpress installations, so for security reasons we have globally disabled access to this XMLRPC file on a server level. This means that any attempts to access this file will result in a "403: Forbidden" error message. We are aware that this implementation may affect the Jetpack plugin and some applications which rely on using the Wordpress API to communicate with your blog, and for this we are indeed sorry.

We are able to remove this restriction and disable the mod_security rule on an individual account and domain basis - resulting in the file being accessible again. If you wish for us to do this, please open a support ticket requesting we disable mod_security's XMLRPC rule and provide us with the domain name you would like this disabled for. If you'd like this actioned on multiple domains, please include the domains in a list. Please be advised that if you wish for this rule to be disabled, we strongly recommend implementing some additional security steps to protect against XMLRPC attacks. We also strongly advise that you keep your Wordpress up to date at all times.


  • 2 Users Found This Useful
Was this answer helpful?

Related Articles

My site/cPanel appears down or times out after I tried to login!

What is happening? We monitor all services (E-mail, FTP, cPanel, Web, etc) on our servers for...

My website is generating an "Internal Server Error" or 500 error.

Each time an "Internal Server Error" occurs, this error is fully logged to an error_log within...

Why are my e-mails being marked as ***SPAM*** ?

Why am I seeing e-mails being marked as ***SPAM*** in the subject header? We now implement a...

I've received a warning about my reseller disk space

Due to the way cPanel and WHM works, there can be a difference of disk usage reported by our...

I'm receiving a popup login window when trying to Wordpress

UPDATE NOTE: This system is now deprecated, meaning it is no longer active and has been removed...