To XML-RPC, or not to XML-RPC: that is the question. At least for those who have an affinity with remote control in WordPress. Indeed, Extensible Markup Language Remote Procedure Call (widely known and abbreviated as XML-RPC) is a protocol specified as a communication facilitator. It was first created as an ensemble of codes enabling data transmission across a network comprised of diverse operating systems. No one can deny how useful it was during its first years of service. But as time went by, the underlying technology has inexorably evolved, and nowadays, xmlrpc.php files have become a burden. More precisely, they fragilize websites, making them more prone to attacks and other security issues.
Let’s use this article to remember why the XML-RPC protocol was created in the first place. We also ought to explain why you don’t need it anymore and how to disable it.
A Little Retrospective of XML-RPC.PHP
The XML-RPC protocol was created in 1998 from the collaboration of Dave Winer of UserLand Software and Microsoft. At the time, the real big deal was the ongoing design of SOAP (Simple Object Access Protocol). There were some setbacks that apparently made Winer come up with something more manageable, namely XML-RPC. A prototype of SOAP, if you will. But why was there a need for a simpler system? Back then, internet connection was sluggish, rendering even the most basic processes overcomplicated. People were naturally reluctant to use browsers and would rather write entire portions of their content offline. Then they would copy and paste it onto the web. All in all, they were trying to save the day within a technically restricted context. WordPress was still in gestation but a modernized conception of content management systems was already in place.
That being said, what users did get with the new protocol was quite aligned with their established habits. It was almost just an improvement of their previous offline blogging experience through a client relying on specifically adjusted software. Later on, the emergence of WordPress XML-RPC has sort of confirmed the tendency.
How to Know If XML-RPC Is Running on Your WordPress Site
Version 2.6 of WordPress had the advantage to enable and disable XML-RPC at your convenience. Then it became enabled by default. So anyone installing WordPress can be sure to get xmlrpc.php automatically. Are you looking for confirmation, regardless? XML-RPC validation services seem to be currently down. Remember our introductory lines when we said that the protocol is no longer a priority. Ok, but how else can you check whether it’s enabled? The answer is the PHP URL, meaning that you should copy your own blog URL on your browser. See if you are getting a PHP POST request notification. If you see the following information: ‘XML-RPC server accepts POST requests only’, you will know that the protocol is enabled.
The rationale for Disabling XML-RPC.PHP
You may want to disable XML-RPC for several reasons. First of all, you may be agreeing about the fact that the feature is getting somewhat tired nowadays. In effect, it’s not really a requirement anymore for your communications outside of WordPress. The current technology offers more practical alternatives. And what’s more, xmlrpc.php can be the source of serious security problems. Hackers and other intruders are well acquainted with various RPC attack types. They know how to manipulate the protocol in order to turn it into an infiltration pathway.
In that regard, there are two noticeable threats users should be aware of. The first one is a classic in cryptography and is known as a brute-force attack. It happens when an attacker adopts a trial-and-error mode by submitting several username and password combinations to access your site. The tricky part is that those forcible entries can remain undetectable since attackers may be hiding their attempts under a single command. So your security measures are likely to be ineffective in such cases. The other big risk is DDoS (distributed denial-of-service) attacks. This kind of sabotage targets a specific server or network and aims at obstructing its normal traffic. What the attackers do is send pingbacks to multiple sites at once with the intention to make them crash. WordPress is all the more advantageous for them, considering the great number of IP addresses that xmlrpc.php delivers.
If you want to avoid the aforementioned scenarios, disabling XML-RPC in WordPress is a logical precaution. Moreover, we have entered the WordPress API era. It’s comparable to a brand new ecosystem that makes XML-RPC already obsolete. It promises a direct coding system that won’t require any PHP open file manipulations or other similar tweaks.
Option 1: Disable Xmlrpc.php with a Plugin
This is probably the most intuitive and viable way. Just one note of caution though: Check your other plugins before any complete deactivation. Indeed, some of them may be using elements of XML-RPC. Disabling it altogether could thus interfere with the proper functioning of such plugins and even block them. To prevent that, you may opt for a partial deactivation. Let’s suppose that you just want to shield your site against the types of attacks that we mentioned previously. You could use specific plugins like Loginizer or Remove & Disable XML-RPC Pingback. This would be a less restrictive strategy and still grant the other plugins access to the xmlrpc.php file.
Now let’s get back to the typical deactivation method and see what to do:
Go to the Plugins section the WordPress dashboard
Log in to your WordPress site and go directly to your dashboard. Select ‘Plugins’ and then ‘Add New’.
Install the Disable XML-RPC plugin
Disable XML-RPC is the most recommended plugin for deactivation. Search for it. Once you’ve found it, select ‘Install Now’.
Activate the Disable XML-RPC plugin
Once the installation is completed, select ‘Activate’. The plugin will automatically insert the code that allows you to switch off XML-RPC.
Option 2: Disable Xmlrpc.php Manually
You may also control the deactivating process manually. We are saying control on purpose because there are some particular actions to execute.
The xmlrpc_enabled filter is often the first solution coming to mind. That’s the one supposed to be added at the end of the wp-config.php file. Let’s remember what it looks like:
add_filter( ‘xmlrpc_enabled’, ‘__return_false’ ) ;
The thing is, this method is not effective if your objective is to turn off XML-RPC completely. Despite the latest system updates, it still seems to work only for cases that require authentication. So what else could you do to obtain a full deactivation and counteract xmlrpc.php security issues?
One of the reliable ways is to use the .htaccess file. Open it. In case you don’t see it, make sure to turn on the ‘show hidden files’ option in the file manager. You may also connect to it via the FTP client. Then add the following code:
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
Throughout the journey of improving your website, the best thing about websites is that there are a lot of ways to implement new things into your webs...
Have you ever found yourself in a situation where you wished you could start over with a clean slate on your WordPress website? Manually deleting test...
allow from xxx.xxx.xxx.xxx
</Files>
Note that the ‘allow from xxx.xxx.xxx.xxx’ line is optional. You need it only if there is a specific IP address you wish to grant access to xmlrpc.php. If so, just replace the xxx parts with the IP address. Otherwise, remove this line
Here’s an additional way for those of you who are on an Nginx server. You can ask your hosting provider to insert the following code:
# nginx block xmlrpc.php requests
location ~* ^/xmlrpc.php$ {
return 403 ;}
XML-RPC at a Glance
We all know that xmlrpc.php files and the XML-RPC protocol have been of great support in the past. They were already here long before WordPress itself was launched. Without them, it would have been difficult to communicate with external systems or blog offline. But times have changed and we need more efficient precautions against security flaws. Disabling XML-RPC is nowadays one of the best options to keep your site safe and functional. Be also ready for the full transition into REST API. That’s how you can hope to maintain an up-to-date and efficient WordPress site.
1 Comment
XMLRPC PHP is an important part of WordPress that allows for remote access and communication with the WordPress platform. It’s a useful tool, but can be a security risk if not properly managed. I suggest everyone to take extra steps to secure it.