Overview
The following guide will provide a brief outline of the original purpose of xmlrpc.php, why disabling this feature is recommended for security, and how to go through the steps of disabling it. Fortunately, disabling XML-RPC can usually be done within a few minutes.
STATEMENT OF SUPPORT:
Please keep in mind that troubleshooting the configuration/functionality of third-party applications is not covered by our statement of support. These resources were provided as a courtesy to assist you to the extent of our abilities. For more information on our statement of support, feel free to click here.
What is XML-RPC?
XML-RPC for WordPress was designed to enable remote connections between your site and external applications. This means, users are able to interact with their WordPress site through different blogging platforms or phone apps. This was useful in the earlier days of the internet, when a person would want to edit content offline, and then connect to their WordPress blog later to publish it.
There are certain situations where users would wan to use XML-RPC. However, with advances in technology, the use and functionality of XML-RPC has been greatly reduced since its inception. As such, the original pros that this feature gave, has become outweighed by the potential security risks that are involved by leaving it enabled.
Why should I disable XML-RPC?
As eluded to in the previous section, there are security risks associated with leaving XML-RPC enabled. These can include:
- Brute Force Attacks - Where an attacker can use xml-rpc to test hundreds of username and password combinations until they are eventually able to gain access to your site. This occurs because xml-rpc does not have the same login attempt limit that exists when you log into WordPress normally.
- DDoS Attack - Where an attacker can use xml-rpc to pingback thousands of IPs. This allows them to send a flood of data and traffic which can cause overages and even have networks paralyzed and shutdown.
Instructions
Check if XML-RPC is enabled
- Go to the following website: XML-RPC Validator.
- Type in your domain name. Then click Check.
- Although there is a Username/Password box, you can leave that section blank.
- Although there is a Username/Password box, you can leave that section blank.
- If you receive a success message, that means that XML-RPC is enabled and you will want to disable it.
Method 1 - Plugin
- Log into your WordPress Admin Dashboard.
- Click on Plugins >> Add New.
- Search for "Disable XML-RPC" and install the Disable XML-RPC plugin.
- Simply activate the plugin, and that's it! XML-RPC should be disabled.
- You can recheck using the XML-RPC Validator. A failure message will confirm that XML-RPC is disabled.
If you wish to retain specific functionality of XML-RPC you can utilize other plugins such as:
- Stop XML-RPC Attack - protects from brute force/DDoS but allows for plugin and automatic tool access to XML-RPC.
- Control XML-RPC publishing - allows for remote publishing functionality of xml-rpc.
Method 2 - .htaccess
- Using FTP FTP FTP FTP or File Manager File Manager File Manager , navigate to your site's root directory root directory root directory root directory.
- Open the .htaccess file.
- Add the following code to the .htaccess:
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx
</Files>You can replace xxx.xxx.xxx.xxx with an IP address you wish to give access to xmlrpc.php. If you wish to remove access completely, you can simply remove this line.
