Looking for a quick way to disable WordPress XML-RPC? Before you do though, consider why you are doing so.
You also probably have a lot of other questions as well:
- What is xmlrpc.php?
- How big of a security risk is it?
- Does disabling xmlrpc.php automatically resolve the threat?
In this article, we’re going to answer all these questions and more.
TL;DR: Disabling XML-RPC on WordPress is not a real solution. Sooner or later, the hackers will find some other vulnerability to exploit. We recommend that you install a powerful WordPress firewall instead to block out bots and malicious IPs.
Is your website being hacked because of XML-RPC?
Well, no.
What is happening is that hackers are trying to get access to your website, by trying combinations for usernames and passwords. But don’t panic, your website hasn’t been hacked yet.
We have seen almost every site experience this. If you have used strong passwords, the chances of your site getting hacked because of this is minimal. Of the 10,000+ hacked sites we have seen, less than 5% have been hacked because of such attacks.
However, these sort of attacks—known as brute force attacks—use up server resources. Even if you have protected your login and admin pages, these attacks bypass those pages entirely, so cause the server to get overloaded.
To prevent this, it is important to install a good firewall.
What is XML-RPC?
XML-RPC is a WordPress feature that enables the transfer of data between WordPress and other systems. It has now been largely replaced by REST API, but is still included in installations for backwards compatibility.
XML-RPC allows third-party apps to publish content on your WordPress website. For instance, if you use the WordPress mobile app to publish a post from your smartphone, XML-RPC allows you to do that.
But that’s not all it can do. WordPress also used it to communicate with other blogging platforms. It enabled trackbacks and pingbacks.
It even powered an older version of the Jetpack plugin.
WordPress typically uses it to connect to the WordPress mobile app. If you’ve ever used the WordPress mobile app, you’ll remember having to activate XML-RPC.
The weirdest thing about this whole deal is that WordPress doesn’t even use XML-RPC any more. Ever since it released its own REST API, WordPress stopped using the old codebase.
The only reason why your WordPress installation still has the xmlrpc.php file is for backward compatibility. In simpler words, it’s meant only for websites that are still running on a VERY old version of WordPress!
If this is you, we strongly recommend that you backup your website immediately and update your WordPress core files, themes, and plugins. Staying on older versions of WordPress can pose far greater security risks than hackers trying to connect to xmlrpc.php.
The bottom line is that you can disable XML-RPC on WordPress safely if your WordPress version is higher than 4.7. It doesn’t even affect Jetpack in case you’re using the plugin. But while disabling XML-RPC is a perfectly safe action by itself, it doesn’t help protect your site against hackers.
Why hackers attack XML-RPC?
If you’ve ever used the WordPress mobile app, you’ll remember that it requires you to log in to your website before you can actually make changes. Now, this login happens by sending your credentials to the xmlrpc.php script, which then validates and authenticates your access credentials.
Hackers basically try to do the same thing: log into your website by sending the xmlrpc.php script access credentials. The biggest risk is if your password is weak, and can be easily guessed. That’s when XML-RPC becomes a security problem.
Otherwise, you are looking at the possibility of an overloaded server—which is still not great, mind you, but easily addressed with a firewall.
WordPress 4.7 and higher versions that use the REST API to connect with external applications use a form of authentication called OAuth tokens. OAuth is a very secure way to connect to an external app. XML-RPC’s method of using the username and password directly is not a safe method at all.
Given enough time, a hacker or a bot can send variants of the username and password to connect to xmlrpc.php until they guess the right one.
This is called a brute force attack.
Another major security issue with XML-RPC is that it was used for pingbacks, which are alerts on WordPress for when someone links to your content. The threat is that a hacker can send a tidal wave of pingbacks to your site.
This type of attack, known as a DDoS attack, can overload your server, deplete your server resources, and get your website suspended by your web host!
Again, the REST API replaced this function as well. So, if you’re fond of pingbacks, you can still safely disable XML-RPC on WordPress.
If you are concerned that perhaps you are part of the 5%, and your website may be hacked, use our free malware scanner right now to eliminate that possibility.
Should you disable XML-RPC?
We do not recommend disabling XML-RPC at all.
The reason?
Simple – disabling the PHP file does not do you any good. Disabling XML-RPC doesn’t get rid of hackers and bots. It simply redirects their attention to wp-login.php to carry out brute force attacks.
Secondly, the plugin will slow down your website, as it needs to load to block the request.
It is more important to protect your website, and if you have been reading thus far, you can probably guess we would suggest installing a firewall. Yes, that old chestnut.
How to disable XML-RPC on WordPress?
As with all things WordPress, you can disable WordPress XML-RPC in two ways:
- Using a plugin
- Without a plugin
In most cases, we usually recommend that you use a plugin to do almost anything on WordPress. Manually changing code on the WordPress backend can lead to catastrophe. This is a rare instance where we recommend neither method, but we’ll still show you how to do both in any case.
Remember to proceed with caution, and take backups of your website before doing anything.
Step 1: Check if XML-RPC is enabled on your website
Even though your WordPress installation came with xmlrpc.php, that doesn’t mean that it’s still enabled. Before you go ahead and try to disable XML-RPC, you should at least check if it’s still active on your website.
Use the WordPress XML-RPC Validation Service. This app will check your website and let you know if xmlrpc.php is enabled.
If you do the same for MalCare, you’ll see a 403 error message because we have a firewall in place.
Step 2: Disable XML-RPC on your website
It’s finally time to disable XML-RPC on your WordPress once and for all.
We’ll show you how to do this using two methods. While we don’t recommend disabling the file at all, we’ll still encourage you to use the plugin if you’re dead set on doing it.
Option A: Using a plugin
There are loads of plugins that you can use to disable XML-RPC on your website. We recommend using the REST XML-RPC Data Checker plugin.
Bear in mind that your website will slow down as the plugin will need to load to block the request. Also, the hackers will shift to attacking the wp-login.php file instead.
So, this will achieve absolutely nothing in terms of security. If you want real protection, we suggest that you install MalCare’s advanced firewall plugin instead.
Once you install the plugin, head over to Settings > REST XML-RPC Data Checker.
Then click on the XML-RPC tab:
You can disable the API interface, the ability to format WordPress posts, pingbacks, and trackbacks. As an added advantage, you can also introduce a trusted user who can still use XML-RPC or a list of trusted IP addresses that won’t be blocked.
Quick and efficient! We don’t recommend fiddling with the REST tab, though. Just leave everything on default there.
Option B: Without a plugin
This is the worst possible option in the book. We highly recommend that you skip to the next section instead where we teach you to actually defend against XML-RPC attacks.
But if you’re dead set on disabling XML-RPC manually, we strongly suggest that you take a full backup of your website first.
Depending on the kind of server your website is using, you can follow one of these two methods:
Disable WordPress XML-RPC Using .htaccess
Paste this code snippet into your .htaccess file:
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx
</Files>
In the 5th line ‘allow from xxx.xxx.xxx.xxx’, replace the x’s with your IP address, if you would like to retain XML-RPC from a particular IP. Otherwise, you can simply delete this line.
If your website is hosted using Apache, you will be able to connect to your server using cPanel or FTP. In either case, you’ll be able to access your .htaccess file.
Disable WordPress XML-RPC Using .config
For sites hosted on Nginx, you can add the following code to the Nginx.config file:
location ~* ^/xmlrpc.php$ {
return 403;
}
Or, you can simply ask your web host to disable XML-RPC for you.
Disable WordPress XML-RPC Using a Filter
Alternatively, you can add a filter into any plugin:
add_filter('xmlrpc_enabled', '__return_false');You can do the same thing from the theme functions file but it’s a much better practice to write a plugin. Also, you can use this method no matter what kind of server you have.
Again, none of these are truly helpful options, and making manual changes is never a good idea. So, if you have to do it at all, please have a WordPress backup ready just in case things go south.
How to prevent XML-RPC attacks?
This is the most important section in this article and it’s quite a big one. So, we decided to split this up into several actionable steps that you can take to prevent XML-RPC attacks on your website.
Step 1: Check if your website is already hacked
In all likelihood, your site hasn’t been hacked yet.
But you still need to confirm this just in case. If your website really is hacked, you’ll need to remove the malware from it first otherwise disabling XML-RPC won’t make any sense.
The simplest way to confirm if your site is hacked or not is to use MalCare’s FREE malware scanner. MalCare’s scanner takes very little time to set up and it can detect even unknown malware on a website in a matter of seconds.
If you see a hacked site warning on MalCare, all you have to do is hit the ‘Autoclean’ button.
MalCare takes care of the entire malware removal in 60 seconds.
Step 2: Install a WordPress Firewall
This is the right way to handle XML-RPC vulnerabilities. Use a WordPress firewall that is equipped to block out the bots that are trying to connect with xmlrpc.php.
Disabling the file doesn’t work. Hackers simply start trying to hack wp-login.php next.
The only problem is that firewalls usually come into effect too late. Every time a hacker tries to hack in by connecting to xmlrpc.php or wp-login.php, the entire WordPress site gets loaded along with it.
That’s exactly why we recommend using MalCare’s advanced firewall that:
- Repels bots and hackers before your website loads
- Doesn’t slow down your website’s loading speed like Cloudflare
- Constantly updates a database of malicious IPs by learning from a network of 250,000+ websites that it protects
If your website is protected by MalCare, all the bots and hackers will get when they try to connect to XML-RPC or WP-Login is a 403 error. An error like this can quickly discourage a hacker from going any further.
Why do people recommend you disable XML-RPC?
Several reasons. Let’s look into each, so you understand why someone (yes, that WordPress management blog counts too) recommends this course of action. (Even if it is somewhat of a Band-Aid solution.)
One of the biggest reasons why many of our readers (like yourself) want to disable XML-RPC on their WordPress website is that they experienced server resource problems. On looking at logs, you may have come across a lot of hits to the xmlrpc.php file.
Maybe you use Jetpack, and you came across a configuration error while installing Jetpack. You then searched for this weird-sounding file, and read a bunch of stuff about how it is something of a vulnerability.
Or you used a scanner, which threw up a warning like this one:
That’s a screenshot of a Wordfence traffic log.
A security plugin shows you that bots are trying to hack into your site through the XML-RPC on WordPress. So, your natural instinct is to disable this option altogether.
What You Shouldn’t Do And Why?
Blacklist IP addresses
You might think that blocking the IPs manually is a good way to block the hackers. In fact, this is what a lot of security “gurus” will endorse. But it doesn’t work. If you block one IP address, a brute force bot will simply start using another IP address to attack your site.
Deleting XML-RPC
Don’t even think about deleting the xmlrpc.php file from your WordPress installation. It’ll wreck your site completely and even if it doesn’t, the file will just pop right back the next time you update WordPress.
What Next?
Improving WordPress security is not a one and done kind of deal. Yes, installing a firewall is a great way to start, but we recommend that you do a full WordPress security audit on your website to find out what else you can improve.
If you’ve installed MalCare already, you’ll find a lot of suggestions within the intuitive dashboard. Just go ahead and do a security scan and follow along with the prompts.
As you’ll quickly find out, hardening your WordPress website security is a good idea. Again, you can simply follow along with the instructions to get it done in a few simple clicks.
Another important aspect of security is to always be in the know.
If there’s a new WordPress vulnerability, you need to know about it and take preemptive measures before it affects your website as well.
FAQs
What is XML-RPC?
XML-RPC stands for XML Remote Call Procedure. It’s a protocol used by outdated blogging systems to connect to the blog using an HTTP connection with XML encoding. Simply put, it’s a protocol that allows users to connect remotely with a blogging platform such as WordPress.
What is XML-RPC used for?
XML-RPC is a way to connect remotely to WordPress from third-party apps such as the WordPress mobile app. It also sends you a notification everytime someone links out to your posts through trackbacks and pingbacks.
How do I disable XML-RPC?
You can disable XML-RPC using a plugin such as the REST XML-RPC Data Checker plugin. However, disabling XML-RPC doesn’t stop hackers from trying to hack into your WordPress website. To stop the attacks, you should install MalCare’s advanced firewall plugin instead.
I have CAPTCHA or 2FA. Can they still crack the password using XML-RPC?
Captcha and Two-Factor Authentication (2FA) plugins are meant for additional security. They don’t offer real protection against XML-RPC hacks.
Most captcha and WordPress 2FA plugins will only secure the WordPress login page and not the XML-RPC script. Double- check with your security plugin to ensure that it prevents login through XML-RPC.
Can I blacklist malicious IP addresses?
This seems like an obvious solution — just block out the hacker’s IP address and you will be safe.
Don’t play into this idea. It’s like playing whack-a-mole with hackers. They’ll keep changing IP addresses and attacking your site using another IP address. There’s no end to this.
Only something like MalCare’s firewall can help you. It comes with Bot Protection which will automatically block out malicious IPs from country or device. The advanced firewall learns from 250,000+ sites on its network and recognizes bots and malicious IPs before they can even mount an attack. All this without slowing down your site.
Nevertheless, if you still want to go ahead with blocking malicious IPs one at a time for all eternity, this article will help you.
Can’t I just delete the XML-RPC file? WordPress doesn’t use it anymore.
Don’t do this. Even if the XML-RPC file is missing, your site will continue to get overloaded by bots trying to connect to it. The bigger risk is that deleting a WordPress core file willy nilly could wreck your site completely.
The worst part is that xmlrpc.php will just get reinstalled during the next WordPress update, which defeats the purpose of deleting the file.