WordPress uses XML-RPC to allow users to perform various activities on their website remotely. It will enable you to access your website through dedicated WordPress mobile apps. With XML-RPC, you can also easily post a blog post (via email or app). They are also used to create trackbacks and pingbacks, allowing you to link your website to other attractive websites.
However, many current WordPress attacks are exploiting the features of XML-RPC to gain access to websites. So, disable XML-RPC are not a bad idea to increase security and increase WordPress loading speed when not in use.
XML-RPC attack methods
Brute-force Attacks in WordPress involve repeated login attempts by random username and password detection. However, logging in using the WordPress default login page (wp-login.php) can be secured in many ways. Undeterred by this, the attackers found another way to launch a Brute-force Attack that was difficult to detect, using XML-RPC. All XML-RPC requests are authenticated so you can securely edit web pages.
Attackers exploit this to create countless combinations of username and password until they get into your website. Methods such as limiting login failures and CAPTCHA are only effective in blocking access attempts from the WordPress login page, they cannot protect you against attacks via XML-RPC.
DDoS (Distributed Denial of Service) is also an attack method that can be performed by exploiting XML-RPC features. If you have pingbacks/trackbacks enabled, your site could be hacked by another website right now and you won’t even know it. A single attacker can use thousands of WordPress sites to launch a DDoS attack on your site with a simple pingback request to the XML-RPC file.
Nearly endless requests will overwhelm your web servers, cause your website downtime, or even lead to server crashes. In most cases, the web host will stop providing services to you before that happens.
Disable XML-RPC in WordPress
One of the easiest ways to protect yourself is to disable the XML-RPC feature if you don’t use it. However, many applications and plugins use XML-RPC for their activities, for example, WordPress Mobile App, Jetpack, LibSyn, BuddyPress… Therefore, you need to check before deciding to disable thoroughly. XML-RPC to avoid affecting the operation of the website.
Use a plugin
Many plugins (BulletProof Security, Disable XML-RPC, Remove XML-RPC Pingback Ping) can help you do this easily. You can also turn off some features of XML-RPC. For example, the Disable XML-RPC Pingback plugin can be used to turn off pingbacks on your website instead of all XML-RPC features. You should also set up a firewall to protect your website against Brute-force Attack and DDoS in the best way.
In case you are using the Jetpack plugin, activate the Protect module of this plugin. Jetpack still usually works, while your website is protected against the threat of attacks via XML-RPC.
Use code snippet
Insert the following code in the functions.php file of the theme or child theme you are using and save.
add_filter( 'xmlrpc_enabled', '__return_false' );
Use the WordPress XML-RPC Validation Service tool to check if you have successfully disabled XML-RPC?
Go to Settings => Discussion, uncheck the items Attempt to notify any blogs linked to from the article and Allow link notifications from other blogs (pingbacks and trackbacks) on new articles to disable pingbacks and trackbacks.
Add the following code to the .htaccess file in the root directory of WordPress to prevent unauthorized access to the xmlrpc.php file:
<Files xmlrpc.php> <IfModule mod_authz_core.c> Require all denied </IfModule> <IfModule !mod_authz_core.c> Order allow,deny Deny from all </IfModule> </Files>
Are you using XML-RPC on your website? What have you done to combat security attacks through this method? Don’t forget to share your opinion with us in the comment box below.