XML-RPC and Why It’s Time to Remove it for WordPress Security WordPress is the most popular blogging and CMS platform on the planet because it was bit difficult to use. Rather, its user-friendly and rich feature. We're Bit attentive in the platform's use of XML-RPC , a remote Procedure call (RPC) allowing for encoded XML calls that are transported via the HTTP protocol. This makes it very, very easy for WordPress contributors to post content remotely, and makes it trivial to post a large volume of data in one-time push. But that ability to push a large amount of data means that we hackers can also push a large number of passwords at it. Sure, you're essentially brute-forcing your way into someone's WordPress account, but those 500 tries just look like you fat-fingered your password once. Two times? You just tried a thousand passwords. This sure beats trying one password per login attempt. CMS frameworks like WordPress, Drupal generally use xmlrpc where