Servage Magazine

Information about YOUR hosting company – where we give you a clear picture of what we think and do!

XML-RPC – WordPress feature to watch out for

Friday, May 31st, 2019 by Helge

WordPress has long been offering built-in features that allow you to remotely connect to your site – of course, very smoothly and desirably when you do not have direct physical access to your computer. For a long time, the main solution to this was a file named xmlrpc.php – but in recent years the file has become more of a pest than a solution.

xmlrpc-wordpress Now maybe your first thought is “xmlr … what?” Don’t worry, we’ll go through everything you need to know, what the risks are and how to fix them on your WordPress site.

What is Xmlrpc.php?

XML-RPC is briefly a function in WordPress that enables the transfer of data, with HTTP as the transport mechanism and XML as the encoding mechanism. WordPress is not a completely independent ecosystem, but often needs to communicate with other systems, and this is facilitated by XML-RPC. The same goes for remote access. For example, if you want to log in to your site from your mobile device, use the remote access feature enabled by xmlrpc.php to do so.

Other features enabled by xmlrpc.php include the implementation of trackbacks and pingbacks from other websites and control of a number of functions in the frequently used Jetpack plugin.

In fact, XML-RPC has existed in WordPress right from the beginning, when the internet we know it today was an infinitely slow experience – and publishing content was both complicated and time consuming. Many WordPress users then wrote their content offline in word processors instead of typing in the browser itself, and then copied and pasted the content. This process was, of course, far from ideal, but was even smoother and safer than typing directly into the browser on a shaky and slow connection, without any autosave features.

The solution was then to simply create an offline blog client, where the user could compose their content and then connect directly to the blog to publish. This connection was made through XML-RPC, and with the basic framework of XML-RPC in place, other early apps also began using the same connection method to allow users to log in to their WordPress sites from other devices.

XML-RPC is used less and less

When version 2.6 of WordPress was rolled out in 2008, there was the option to enable or disable XML-RPC. But when WordPress was released as a smartphone app, XML-RPC support was enabled by default, and it was no longer possible to turn off the setting. And so it has been since then, although the function itself (in step with the development of the WordPress platform) has come to play less role and is not used to the same extent as from the beginning.

In conjunction with WordPress rolling out its upcoming brand new API, many developers predict that XML-RPC will be completely removed, and that the functions are encoded directly into the WordPress kernel. But until the new API is ready and sharp (it can be tested already now) it may be a good idea to disable XML-RPC. But why then, maybe you are wondering now?

What is the problem?

The biggest problems with XML-RPC are the security risks that technology entails. The problems are not directly linked to XML-RPC, but it is about how the file can be used to activate a so-called brute force attack on your website.

There are two main weaknesses in XML-RPC that malicious actors can exploit.

The first uses a pure brute force attack to gain access to your site. An attacker will try to access your site using xmlrpc.php using different usernames and password combinations. They can effectively use a single command to test lots of combinations of different user names and passwords. By going through xmlrpc.php, the security features that usually detect and block brute force attacks circumvent.

The second attack method opens for attackers to lower websites through DDoS attacks. Attackers exploit the pingback feature of WordPress to send pingbacks to thousands of websites simultaneously. This feature in xmlrpc.php gives attackers an almost infinite range of IP addresses to deploy their DDoS attack over.

To check whether XML-RPC is used on your website, you can run it through a tool called XML-RPC Validator . Run your site through the tool, and if you get an error message, it means you do not have XML-RPC enabled. However, if you get a “positive” response from the tool, you can turn off xmlrpc.php with one of the two methods below.

Of course, you can protect yourself with incredibly strong passwords and various WordPress security tools – but the best protection is to simply disable the feature. So to the most important question, how do you turn it off? Fortunately, disabling XML-RPC on your WordPress website is very easy. There are two main ways to do this.

Method 1: Disable Xmlrpc.php with plugins

The easiest way is to navigate to Extensions> Add New to your WordPress control panel. Search for Disable XML-RPC and install the plugin that looks like in the picture below:


Activate the plugin and you are completely on the safe side. This plugin automatically adds the required code to turn off XML-RPC.

Keep in mind that some existing plugins may use parts of XML-RPC, so disabling it may completely cause a plug-in conflict or cause some parts of your site to stop working. If you just want to close some parts of XML-RPC, but want to allow some plugins and functions to use the function, you can instead use the following plugin instead:

Stop XML-RPC Attack – This plugin stops all XML-RPC attacks, but allows plugins like Jetpack and other automated tools and plugins to continue accessing the xmlrpc.php file.

Control XML-RPC Publishing – This plugin allows you to maintain control and use the remote publishing option enabled by xmlrpc.php.

Method 2: Disable Xmlrpc.php manually

If you do not want to use a plugin but prefer to do the shutdown manually, you can use this simple method. It will stop all incoming xmlrpc.php requests before they are passed on to WordPress.

Locate and open your .htaccess file. You may need to enable “show hidden files” in the file manager or your FTP client to find this file. Then paste the following code into your .htaccess file:

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny, allow
deny from all
allow from
</ Files>

So, clear! Now you do not have to worry about any nuisance using the security holes in the XML-RPC.

XML-RPC - WordPress feature to watch out for , 4.4 out of 5 based on 9 ratings
Categories: Guides & Tutorials
You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

No comments yet (leave a comment)

You are welcome to initiate a conversation about this blog entry.

Leave a comment

You must be logged in to post a comment.