Since the appearance of WordPress, XML-RPC is a subject in regard to this CMS and many people thinks that it belongs to WordPress but that is not correct because XML-RPC is prior to WordPress. It was initially developed in 1998 and WordPress appeared about five years later in 2003. WordPress is also a fork and not a solo project. Back in 2002 the most promising free source code for creating a blog was B2 but sudenly its developer stopped working on it and a few months later a fork appeared and no one ever remembered B2. That fork is WordPress.
So XML-RPC is a tool used by WordPress to comunicate to other platforms, in other words is an API. An API is a set of programming rules made to allow one software to “speak” to another like a communication channel. There are a few use cases for WordPress XMLRPC but the most used is the connection between the CMS and its Mobile App.
In regard to WordPress XMLRPC Security, it can be a breach on the code because it allows two major attacks to your website:
- Username and password brute force
- By brute forcing a username and password, an attacker can eventually find a way into your website administration panel, taking full control of it
- DDOS
- A Distributed Denial-of-Service (DDoS) attack uses the pingback and callback function of WordPress to stress the hardware resources of the web hosting server you are using to host your website and eventually take it down for a period of time
Before telling how to disable it, you should know that XML-RPC is basically one file called xmlrpc.php that sits on the root of your WordPress website. This way you can easily know if it is listening for communications (or attacks) or not by typing the following address on your favourite browser https://domain.tld/xmlrpc.php and if you get the following message it means is active (listening):
XML-RPC server accepts POST requests only.
Note – Replace domain.tld with your domain name and replace https with http in case you are not using a certificate for your website (highly recomended to use).
If you get an error message means that the file is not present or blocked somehow.
Is important to mention that meanwhile, WordPress developed its own API but still uses XML-RPC API for legacy installations, so you will have that functionality in your latest version of WordPress, possibly forever because WordPress tends to keep compatibility with old versions. Is strongly recommended to use the new WordPress API instead of the legacy XML-RPC, for this reason is better to disable it, avoiding a huge opportunity for attackers to take your website down. So unless you use it, lets look at the tive possible ways to disable it:
- Change the WordPress Code
- Delete the xmlrpc.php file
- Install a plugin
- Disable on .htaccess (recommended)
- Cron Job
The first three options are not recommended because on the two first ones , after an update of the CMS it can be reverted so you have to patch it everytime after an update. The third one is also not recommended even though is the easiest to implement but not the right choice because it requires more resources from your web hosting server.
The recommended way is by using the .htaccess file, which is a file located on the root of your website that you can and should use to tell the web hosting server what to do in specific circumstances like handling the xmlrpc.php file. to do so, connect to your web hosting server throught SFTP, FTP, or FTPS and edit the file by adding the following lines of code:
# Block WordPress xmlrpc.php requests <Files xmlrpc.php> order deny,allow deny from all allow from xxx.xxx.xxx.xxx </Files>
You can remove the line allow from xxx.xxx.xxx.xxx
if you do not want to set a specific IP to be able to connect from. If you want to set an IP for allowed connections just replace the xxx.xxx.xxx.xxx
with the right IP. This way you are blocking the XML-RPC at a web hosting server level, almost not taking any resources from it when someone attempts to use such functionality. Keep in mind that as a website owner you must always do your best to protect your web hosting server from unnecessary resource usage for a better website performance and stability.
If your web hosting server does not use Apache server but NGINX instead the .htaccess is not an option because it only works and exists on Apache servers (the most used web hosting servers). In this case you can set a cron job on your web hosting control panel to remove the file xmlrpc.php if it exists and even after an update it will be removed but this is not the ideal solution so you can always ask you hosting provider to create a NGINX template to disable the access to the xmlrpc.php file. In last case you can try a plugin, not recommended once it might work or not because most of the plugins are not programmed to deal with non Apache servers and even if it works is not the right solution because is not hardware resources friendly.
If you have any questions, just comment and I will do my best to help you.
Leave a Reply