Securing your site against XML-RPC attacks

What is XML-RPC?

The simple answer is that XML-RPC (short for XML Remote Procedure Call) is a method of allowing remote access to your website.  Specifically to

  • Publish a post
  • Edit a post
  • Delete a post.
  • Upload a new file (e.g. an image for a post)
  • Get a list of comments
  • Edit comments

The service is known as an API (Application Programming Interface) and allows developers of any type to connect their app or service to a WordPress website.

This could include mobile phone apps such as the WordPress app, desktop apps, IoT devices, software services or literally anything that can connect with the internet.

Before the REST API was introduced in WordPress 4.4 XML-RPC was the biggest WordPress API.

Why you may be wanting to deactivate XML-RPC

You may have read somewhere about two large attacks against WordPress websites in 2015 that abused the XML-RPC service.

These were:

  • DDoS via XML-RPC pingbacks.  The attacker tries to flood your website with pingback requests to overload the server.  Again they use the file xmlrpc.php to generate thousands of pingbacks to your website.
  • Brute force attacks via XML-RPC. The attacker tries to guess your login details to get access to your site content. They try to login to WordPress using xmlrpc.php with as many username/password combinations as quickly as possible.

What uses XML-RPC?

XML-RPC has been around for as long as WordPress has.  Being the biggest API lots of apps use it to access to access WordPress sites remotely.  Some are listed below:

  • The official WordPress app for iPhone and Android.
  • Trackbacks and pingbacks when other sites link to yours.
  • Jetpack – one of the most widely used plugins uses it to connect with wordpress.com services such as collecting site visitor data.
  • Likely a whole slew of other things…

So you need to think very carefully before you go ahead and deactivate the service completely. If you do choose to disable XML-RPC at the very minimum the apps and services mentioned above won’t work properly or at all.

How to deactivate XML-RPC

The most efficient way of deactivating the service is to place some code in your top-level .htaccess file.

[pastacode lang=”bash” manual=”%23%20Block%20WordPress%20xmlrpc.php%20requests%0A%3CFiles%20xmlrpc.php%3E%0A%20%20%20%20order%20deny%2Callow%0A%20%20%20%20deny%20from%20all%0A%20%20%20%20allow%20from%20123.123.123.123%0A%3C%2FFiles%3E” message=”” highlight=”” provider=”manual”/]

This denies access to the xmlrpc.php file which is used by the service.

Replace 123.123.123.123 with your own computer’s IP address or remove line 5 to disable XML-RPC for everyone.

If you are not confident or able to update your .htaccess file there are plenty of plugins in the wordpress.org repository which do the same job or use our own Deactivate XML-RPC Service plugin.

Was this article helpful?
YesNo