xmlrpc.php: What Is It in WordPress and Why Disable It

xmlrpc.php: What Is It in WordPress and Why Disable It

WordPress has always included features that allow you to interact with your site remotely. Face it, there will be times when you need to access your WordPress website, but your computer is not nearby. For a long time, the solution was a file called xmlrpc.php. However, in recent years, the file has become more of a nuisance than a solution.

We’ll look at what xmlrpc.php is and why it was written. We also go over the most common security issues it causes and how to fix them on your own WordPress site.

Download all in one WordPress cheat sheet

What Is Xmlrpc.php

XML-RPC is a feature of WordPress that enables data to be transmitted, with HTTP acting as the transport mechanism and XML as the encoding mechanism. Since WordPress isn’t a self-enclosed system and occasionally needs to communicate with other systems, this was sought to handle that job.

For example, let’s say you wanted to post to your site from your mobile device since your computer was nowhere nearby. You could use the remote access feature enabled by xmlrpc.php to do just that.

The core features that xmlrpc.php enabled were allowing you to connect to your site via smartphone, implementing trackbacks and pingbacks from other sites, and some functions associated with the Jetpack plugin.

Why Was Xmlrpc.php Created and How Was It Used

The use of XML-RPC dates back to the early days of WordPress, before it was even called WordPress.

Writing and publishing to the internet was much more difficult and time-consuming in the early days of the internet, when connections were incredibly slow. Rather than writing in the browser, most people would write offline and then copy and paste their content onto the web. Nonetheless, this procedure was far from ideal.

At the time, the solution was to create an offline blogging client where you could compose your content before connecting to your blog to publish it. This connection was established using XML-RPC. Early apps used this same connection to allow people to log in to their WordPress sites from other devices after the basic framework of XML-RPC was in place.

XML-RPC was initially disabled by default until WordPress 2.6 added a feature in the dashboard to enable or disable it.

XML-RPC was enabled by default with WordPress 3.5 and the introduction of the WordPress mobile app. This change also removed the option from the dashboard to enable or disable XML-RPC.

XML-RPC Nowadays

In 2015, WordPress core received a new REST API. It enables WordPress to include an API for interacting with mobile applications and other platforms.

Many developers began to use the new API, resulting in a significant decrease in XML-RPC usage. To put it another way, REST API effectively replaced XML-RPC.XML-RPC is still enabled in WordPress, and the xmlrpc.php file is still located in the core software directory.

Suggested Reading

Learn more about WordPress REST API and how to start using it for WordPress development.

Why You Should Disable Xmlrpc.php

The biggest issues with XML-RPC are the security concerns that arise. The issues aren’t with XML-RPC directly, but instead how the file can be used to enable a brute force attack on your site.

Sure, you can protect yourself with incredibly strong passwords, and WordPress security plugins. But, the best mode of protection is to simply disable it.

There are two main weaknesses to XML-RPC which have been exploited in the past.

The first is using brute force attacks to gain entry to your site. An attacker will try to access your site using xmlrpc.php by using various username and password combinations. They can effectively use a single command to test hundreds of different passwords. This allows them to bypass security tools that typically detect and block brute force attacks.

The second was taking sites offline through a DDoS attack. Hackers would use the pingback feature in WordPress to send pingbacks to thousands of sites instantaneously. This feature in xmlrpc.php gives hackers a nearly endless supply of IP addresses to distribute a DDoS attack over.

Pro Tip

Various threats pose risks to your website’s security. Safeguarding your website against potential vulnerabilities can be achieved by choosing a dependable WordPress hosting provider. Ensure your website’s protection by selecting a secure WordPress host that implements advanced security measures.

To check if XML-RPC is running on your site, then you can run it through a tool called XML-RPC Validator. Run your site through the tool, and if you get an error message, then it means you don’t have XML-RPC enabled.

If you get a success message, then you can stop xmlrpc.php with one of the two approaches below.

How to Disable Xmlrpc.php in WordPress

Now that you understand why xmlrpc.php is used and why it should be deleted, let’s go over the two ways to disable it in WordPress.

1. Disabling Xmlrpc.php With Plugins

Disabling XML-RPC on your WordPress site couldn’t be easier.

Simply navigate to the Plugins › Add New section from within your WordPress dashboard. Search for Disable XML-RPC-API and install the plugin.

Activate the plugin and you’re all set. This plugin will automatically insert the necessary code to turn off XML-RPC.

However, keep in mind that some existing plugins may utilize parts of XML-RPC, so disabling it completely could cause a plugin conflict or certain elements of your site to no longer function.

2. Disabling Xmlrpc.php Manually

If you don’t want to utilize a plugin and prefer to do it manually, then follow this approach. It will stop all incoming xmlrpc.php requests before it gets passed onto WordPress.

Open up your .htaccess file. You may have to turn on the ‘show hidden files’ within file manager or your FTP client to locate this file.

Inside your .htaccess file, paste the following code:

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx
</Files>
# Block WordPress xmlrpc.php requests <Files xmlrpc.php> order deny,allow deny from all allow from xxx.xxx.xxx.xxx </Files>
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx
</Files>

Important! Change xxx.xxx.xxx.xxx to IP address you wish to allow access xmlrpc.php or remove this line completely.

Conclusion

Overall, XML-RPC was a solid solution to some of the problems that occurred due to remote publishing to your WordPress site. However, with this feature came some security holes that ended up being pretty damaging for some WordPress site owners.

To ensure your site remains secure it’s a good idea to disable xmlrpc.php entirely. Unless you require some of the functions needed for remote publishing and the Jetpack plugin. Then, you should use the workaround plugins that allow for these features, while still patching the security holes. 

Author
The author

Kevin Wood

Kevin is a freelance writer who specializes in technology and online content marketing. He loves making complex marketing and technology topics accessible to all readers. When he’s not glued to his screen, you can find him lost in a book, writing poetry, or running through the woods.