What Is Xmlrpc.php in WordPress and Why You Should Disable It Print

  • xmlrpc.php, wordpress attack
  • 1

WordPress has always had built-in features that allow you to interact remotely with your site. For a long time the solution was a file called xmlrpc.php but in recent years the file has become more of a problem than a solution because this mechanism has been misused.

What is Xmlrpc.php?

XML-RPC is a WordPress feature that allows for data transmission, with HTTP serving as the transport mechanism and XML as the encoding mechanism. Since WordPress is not a self-closing system and occasionally needs to communicate with other systems, this one has been sought to handle that job.

Why should it be disabled?

The biggest problems with XML-RPC are the security problems that arise. The issues aren't directly related to XML-RPC, but rather how the file can be used to enable a brute force attack on your site. Of course, you can protect yourself with incredibly strong passwords and WordPress security plugins. But the best way to protect it is to simply disable it. There are two major weaknesses of XML-RPC that have been exploited in the past. The first is to use brute force attacks to gain access to your site. An attacker will attempt to log into your site using xmlrpc.php using various username and password combinations. They can effectively use a single command to test hundreds of different passwords. This allows them to bypass security tools that typically detect and block brute force attacks. The second was to take the sites offline via a DDoS attack. Hackers would use the pingback feature in WordPress to ping back thousands of sites instantly. This feature in xmlrpc.php gives hackers an almost infinite supply of IP addresses to deploy a DDoS. To check if XML-RPC is running on your site, you can run it through a tool called XML-RPC Validator. Run your site through the tool, and if you get an error message, it means you haven't enabled XML-RPC. If you get a success message, you can stop xmlrpc.php with one of the two approaches below.

How to disable it?
Open your .htaccess file. You may need to enable "show hidden files" in the file manager or FTP client to locate this file. Inside your .htaccess file, paste the following code:

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from

Was this answer helpful?

« Back