WordPress includes a feature called XML-RPC that enables data to be transmitted, with HTTP acting as the transport mechanism and XML as the encoding mechanism. WordPress is not a fully-enclosed system and may occasionally need to communicate with other systems and the XML-RPC specification was implemented for this purpose.
XML-RPC for PHP is affected by a remote code-injection vulnerability. An attacker may exploit this issue to execute arbitrary commands or code in the context of the webserver. Attacks on xmlrpc.php
are common.
Not many websites actually use the XMLRPC functionality, therefore one simple way of avoiding these types of attacks is to simply delete the xmlrpc.php
file. However, this file is restored every time you update WordPress, so this isn’t a permanent solution.
In 2015, WordPress implemented the REST API, which effectively provided a more modern alternative to XML-RPC, and XML-RPC has remained in WordPress for backward compatibility. Note: Jetpack is one popular plugin that requires XML-RPC to work, but most websites won’t need it at all and you can block it.
Disable XMLRPC via code snippet
Add the following code snippet to functions.php
or through the Code Snippets (or Code Snippets Pro) plugin:
// Disable use XML-RPC
add_filter( 'xmlrpc_enabled', '__return_false' );
// Disable X-Pingback to header
add_filter( 'wp_headers', 'disable_x_pingback' );
function disable_x_pingback( $headers ) {
unset( $headers['X-Pingback'] );
return $headers;
}
Deny Access to XMLRPC
However, if your site is being hammered with thousands of requests on XMLRPC, the above script will still require some processing power, so the best option is to block access to XMLRPC:
Deny access to xmlrpc.php from Apache
Via the .htaccess
file:
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order allow,deny
deny from all
</Files>
Deny access to xmlrpc.php from OpenLiteSpeed
Via the .htaccess
file:
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order allow,deny
deny from all
</Files>
Deny access to xmlrpc.php from Nginx
If you’re using nginx, you can disable access to the xmlrpc.php
file from NGINX server block:
# nginx block xmlrpc.php requests
location = /xmlrpc.php {
deny all;
}
Testing
You can test if this is disabled by sending a POST request as follows:
<methodCall>
<methodName>system.listMethods</methodName>
</methodCall>
Further Reading
- XMLRPC or WP-Login: Which do Brute Force Attackers Prefer? by Mark Maunder, WordFence
- https://developer.wordpress.org/reference/hooks/xmlrpc_enabled/
- https://www.hostinger.com/tutorials/xmlrpc-wordpress
That’s it! You’re done!