But over the years, as our internet services have improved, the majority of WordPress users don’t use this feature any more. Most aren’t even aware that it exists.
Having a redundant feature active on your site doesn’t pose a problem. The issue with WordPress XML-RPC is that a vulnerability appeared in September 2015. This allowed hackers to exploit the XML-RPC feature to try to break into WordPress sites.
WordPress quickly patched this exploit and any site running on version 4.4.1 or higher is immune to this hack. But unfortunately, there are millions of sites running on outdated versions of WordPress that make them vulnerable to XML-RPC hacks. We recommend updating WordPress regularly.
If you run a WordPress website and don’t need to publish content remotely, it’s best to disable this feature. In this article, we’ll discuss what XML-RPC is and take you through the process of disabling it in a few simple steps on your website.
What Is XML-RPC?
In simple terms, XML-RPC is a feature on WordPress that enables you to send data from another device to your WordPress site. Using this feature, you can make a remote connection with your site using a smartphone. For instance, you can publish a post from the WordPress mobile app to your WordPress website.
To understand the xmlrpc.php file, we need to know a few basics:
- RPC is a Remote Procedure Call. Using this, you can call a procedure remotely from a different machine or device.
- XML stands for Extensible Markup Language which is designed to store and transport data (similar to HTTP). In this case, XML is the language used to encode the data that needs to be sent.
- HTTP is the HyperText Transfer Protocol. It defines how messages are formatted and transmitted over the World Wide Web. It also determines the actions of web servers and browsers in response to commands. In this case, HTTP is the protocol used to transport the data from the remote device to the website.
- PHP is a programming and scripting language that is used to serve dynamic websites. It makes the interaction between the user, the website and the database possible.
So in technical terms, the xmlrpc.php file enables a remote procedure call that uses XML to encode the message to be sent over HTTP. Using this, you can exchange information between devices or computers across.
A WordPress installation initially had XML-RPC disabled by default due to security concerns. You had to go to Settings > Writing > Remote Publishing to turn the feature on. This changed with version 3.5 because as the WordPress software improved, it no longer was a big security issue. Now, when you install WordPress, the XML-RPC is enabled by default. Further, the option to enable or disable it was removed.
What Can XML-RPC Be Used For?
The file primarily serves three functions:
- Remotely access your website and make changes. Let’s say, you want to post something to your WordPress blogs, but you don’t have your computer with you. You can use the WordPress app on your mobile device to post to your site. The WordPress app does this by using the remote access feature enabled by a file called xmlrpc.php.
- Implement trackbacks and pingbacks. This is a method of alerting blogs that you have linked to them. XML-RPC trackbacks are created manually and an excerpt of the content has to be sent. XML-RPC pingbacks are automated and no excerpt is sent.
- Enables JetPack plugin to connect to WordPress.com. Millions of people use JetPack as it’s an all-round security, performance and site management tool. If you use JetPack and the WordPress app, you need the xmlrpc.php file for it to work.
What Is The XML-RPC Vulnerability?
When you send xmlrpc.php requests to your website, WordPress will authenticate the action with a username and password. This is a very basic security check and we do not recommend it for such processes.
Another important to know here is that the XML-RPC function is capable of handling large volumes of data.
Both these factors contribute to making brute force attacks possible. A brute force attack is one wherein hackers use bots to try to guess your username and password. These bots can try thousands of combinations in a single command and therefore, make thousands of login attempts in no time.
Because the xmlrpc.php file can handle large amounts of data, hackers can send a large number of passwords at a time.
Another type of attack hackers can carry out on your site are DDoS attacks. Here, hackers bring down websites (usually ones of big brands or governments) by sending pingbacks to thousands of sites instantaneously.
To minimize the risk of being attacked, you should use strong credentials. Avoid usernames like ‘admin’ and passwords like ‘password123’. We recommend you use a strong passphrase like so:
But this doesn’t eliminate the risk of an XML-RPC attack completely. If you don’t use it, it’s best to block access to xmlrpc.php. We’ll show you how next.
How to disable XML-RPC in WordPress
There are two ways in which you can disable the XML-RPC feature on your WordPress website – using a plugin and manually. We’ll show you both.
Method 1: Disabling XML-RPC with a plugin
To disable xmlrpc.php, there are a few plugins available in the WordPress repository. Here, we’ll show you how to do it using the ‘Disable XML-RPC’ plugin.
1. Login to your wp-admin dashboard and go to ‘Plugins’.
2. Here, click on ‘Add New”.
3. Next, using the search bar, look for ‘Disable XML-RPC’. You should see the following plugin in the results:
4. Install and activate the Disable XML-RPC plugin. The XML-RPC feature will be disabled once you activate the plugin. This plugin will work on any WordPress site running on version 3.5 and above. Since it’s a free plugin, we recommend ensuring that the plugin receives regular updates to make sure it’s not abandoned by its creator. Other plugin options include:
Each plugin helps in blocking access to XML-RPC but has different features to offer. You can choose the one that suits your WordPress site best.
Method 2: Disabling XML-RPC Manually
To disable xmlrpc.php, you need to access your WordPress files. Before you do this, we recommend taking a backup of your website. This is because any time you make changes to your WordPress files, the slightest misstep could break your site or result in data loss.
When making manual changes, we also recommend creating a staging site. You can create a staging site easily with BlogVault or with your WordPress hosting provider, if they provide the option. Here, you can make changes without worrying about breaking your website. Once you’re happy that the changes are working fine, you can push these changes to your live site.
Now let’s begin with the manual method of blocking XML-RPC on your WordPress site:
1. To access your WordPress files, login to your hosting platform account.
2. Here, you should have an option called ‘Cpanel’.
3. Under that, you can access ‘File Manager’.
4. Next, in File Manager, your website’s folders should be under the folder named ‘public_html’. Here, you’ll see three main folders – wp-admin, wp-content, and wp-includes.
5. You should see a file named ‘htaccess’ here. If you don’t, you can use the search bar on the top-right of the screen to look for it. Tip: If your website has a .htaccess file but you can’t see it, visit settings and click on ‘show hidden files.’ See our guide on how to edit .htaccess file in WordPress.
If your website doesn’t have an htaccess file, simply create one. Use the ‘+File’ option on the top-left corner of the screen.
6. Open the .htaccess file by right-clicking and choosing ‘Edit’.
7. To restrict access of XML-RPC, paste the following code to this file:
# Block WordPress xmlrpc.php requests <Files xmlrpc.php> order deny,allow deny from all allow from xxx.xxx.xxx.xxx </Files>
In the 5th line ‘allow from xxx.xxx.xxx.xxx’, replace the x’s with your IP address, if you would like to retain XML-RPC from a particular IP. Otherwise, you can simply delete this line.
8. Save changes and close the file. The code disables XML-RPC.
9. Visit your website to make sure everything is working fine. If you’re using a staging site, merge the changes or replicate the same on the live site.
We’re confident if you used any one of the methods above, your website should be safe from any vulnerabilities via XML-RPC. The blocked xmlrpc.php file will no longer pose any threats.
Conclusion: Keep your site protected at all times
Now that you’ve disabled the XML-RPC function in WordPress, you’ve made your site one degree more secure. But there are more WordPress security measures you should implement in order to keep your website completely protected from hackers.
We recommend implementing WordPress Hardening Measures on your website. This will fortify your site and make it extremely hard for hackers to break into it. If you’re looking for an easy-to-use solution that will give you all-round protection, use a security plugin on your WordPress website. It will safeguard your site from malicious traffic, bad bots and hack attempts. Plus, it will regularly scan your website and alert you if there is any malware on it. Stay safe!