WordPress has a huge amount of great features. One of them is XML-RPC but unfortunately, its capabilities can also cause problems for your site and in the worst-case offer a way in for malicious third parties. In this guide, we will teach you what the XML-RPC is, why you should disable it and how to do it.
What is XML-RPC?
In short, XML–RPC is a remote procedure call (RPC) protocol that uses XML to encode its calls and HTTP as a transport mechanism. It was built for websites and other applications to have a remote connection. For example in WordPress, this means you can access WordPress with a phone app or an external blogging platform if you wish to do so when it’s enabled.
Why should I disable XML-RPC?
Unfortunately in today’s world XML-RPC has come obsolete in most cases meaning its cons outweigh the pros it offers because of potential security risks that are involved when it’s left enabled.
The security risks XML-RPC can cause include:
Brute Force Attacks – This is where an attacker uses the XML-RPC to test thousands of username and password combinations to gain access to your WordPress site. This occurs because XML-RPC doesn’t limit the number of login attempts that can be done through it.
DDoS attacks – DDoS attacks can use XML-RPC to send pingbacks from different IPs. Meaning your server is flooded with data and traffic that has no other meaning than cause your server’s network to slow down and ultimately crash when it can’t handle all the requests.
How to disable XML-RPC
Check if XML-RPC is enabled
Before you try to disable XML-RPC any other way it’s good to check if it’s enabled on your site. To check if your site has XML-RPC enabled simply use this tool here.
If you receive a “success message“, means it that you have XML-RPC enabled.
Note – The xmlrpc.php file is located in your WordPress installation folder. Not seeing it in the folder does not mean automatically that XML-RPC is not enabled. So we highly recommend always testing your XML-RPC connection with an external tool.
To disable XML-RPC you are going to need to head to your server. From there locate the .htaccess file from the root of your server. The .htaccess is usually located in your “public_html” folder.
In the .htaccess file you need to add the following code:
# Block WordPress xmlrpc.php requests <Files xmlrpc.php> order deny,allow deny from all allow from xxx.xxx.xxx.xxx </Files>
If you wish to whitelist an IP that can use the XML-RPC you can do so by replacing the “xxx.xxx.xxx.xxx “with the IP you wish to give access to your XML-RPC. On the other hand, if you wish to disable XML-RPC completely, simply remove the “allow from xxx.xxx.xxx.xxx” line.