How to block xmlrpc on WordPress while allowing JetPack

I have a WordPress website running on a VM, and I’m seeing a lot of unwanted requests to the xmlrpc.php component that are slowing down the site causing high CPU loads. If it was by me, I would disable it entirely, but the site uses the JetPack plugin which relies on xmlrpc.

Is there any way to use fail2ban to block requests to xmlrpc while allowing requests from JetPack?
If yes, what are the steps to accomplish this?


As far as I can tell, Jetpack only uses xmlrpc during setup. I use Jetpack and have xmlrpc blocked. Although JP complains with a warning, i haven’t noticed any other ill effects… But it could be affecting something I’m not using, so take this with a grain of salt.

You’re probably not using all the features. As soon as I block or disable xmlrpc, I can no longer see the site stats, connect through, and jetpacks begins to complain.

I remember the trick now. You have to enable xmlrpc while you activate and set up Jetpack, then you can turn it off. That’s what I did and it works, although it still complains.

Not yet, but that seems like a good feature to add :wink:

1 Like

It might now complain, but you can access stats and other features from, which means that it’s still getting blocked.

This is a new feature in

4.3.1.x is a Development (beta) branch. It should be stable enough to use in production, but obviously there may be bugs in the new features.

1 Like

Thank you so much for listening to the feedback.