What is XMLRPC and How This WordPress' Vestigial Tail Threatens Your Website Security
Table of Contents
In the root directory of every WordPress site is a file, xmlrpc.php that actually predates WordPress itself. Back before WordPress, during the b2 days, this file was created to give sites a way to communicate with each other and for other applications to communicate with the blog itself.
What is XMLRPC?
The name tells you everything you need to know about the functionality.
XML – This was designed to accept payloads in XML. These days JSON is a much more common format but XMLRPC predates JSON by quite a bit.
RPC – RPC stands for Remote Procedure Call. It was a standard by which one system could ask another system to do something. These days we use APIs – REST or Graph API – to do the same thing but before those existed, RPC was one of the ways we accomplished this.
How does XMLRPC work?
To make XMLRPC.php do something you had to POST a message to it. If you are not familiar with how browsers work, this is basically like clicking the Submit button on a form. That usually initiates a POST request.
If you make a POST request to yourdomain.tld/xmlrpc.php and you hand it a properly formatted XML payload, you can do things like create a post on your site.
One of the things that XMLRPC was used for a lot back in the day was “pingbacks”. Those comments you see on posts that show that someone else linked to it on their blog.
Potential security threats from WordPress’ XMLRPC
For a long time, XMLRPC was a useful tool. Those days are fading into history now. These days all of the functionality that XMLRPC used to be used for is handled by the built-in REST API. Even though it’s not used anymore. It’s still hanging around. Those who get nostalgic about such things see it and smile. Those that are worried about security see it and frown.
XMLRPC poses a couple of distinct security risks for WordPress sites that can result in severe WordPress XMLRPC attacks.
The first type of WordPress XMLRPC attack is a simple Brute Force attack. Since part of the XML payload that is passed to WordPress is the login and password of the user that wants to take the action, it is an easy way for attackers to try out user name and password combos until they find one that works. Many security conscious site owners will limit the number of login attempts a user can make before locking them out but won’t bother to block XMLRPC requests thus leaving a back-door open for attackers to try and find a way in.
Brute Force Attacks via XMLRPC
Once an attacker finds credentials that work, they are free then to attempt to do damage to your site by injecting content into your site’s database. Whether these are Posts, Pages, or just comments, the end result is the same. Content that you did not approve and most likely do not want is being served by your site.
At the very least, this means spam comments or posts. At the worst though, it could be innocuous posts or comments that have malware injected.
DDoS attacks using XMLRPC
Because one of the ways that XMLRPC was used was for pingbacks, malicious users can use it to overwhelm your server by issuing a lot of expensive requests all at once.
A pingback writes a record to your database. Writing to your database is an expensive task, resource wise. While a single pingback won’t hurt your site’s performance, hundreds or even thousands of them at once can bring even the beefiest server to its knees.
This is called a DDos or Distributed Denial of Service attack. Distributed because it’s usually not a single machine making all the requests, usually it is a whole bunch of machines spread out all over the place.
How to disable XMLRPC in WordPress
There are a few ways you can disable XMLRPC. I highly recommend that you do it because honestly, you just don’t need it.
Through your webserver’s config file
If you are familiar with how to block requests via your webserver’s config files – and you have access to your webserver’s config files, this is a great way to block it. For Apache, you can add this code to the .htaccess file in the root directory of your site.
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>
That will stop it dead in its tracks.
Through your theme’s functions.php file
If you are not one who likes to much around in your web server’s config files, you can add a single line of code to your theme’s functions.php file.
add_filter( ‘xmlrpc_enabled’, ‘__return_false’ );
Make sure and get that exactly right, there are 2 underscores before the word return. Again, this will turn it off. This tells WordPress itself that you don’t want to accept XMLRPC requests.
Installing a plugin
Finally, if don’t want to bother with adding code to your theme’s functions.php, you can disable XMLRPC in WordPress by installing a plugin. (Hint, the plug does the exact same thing as the previous tip.) There are several good ones out there that are free or you may already have this functionality available to you if you have one of the Application Firewall plugins installed.
If not, let me recommend my favourite one and what I use on all of my sites to turn off XMLRPC, SiteGround Security Plugin. Even if you aren’t hosting with SiteGround, you can use this free plugin to manage several different security tasks. If you only want it to turn off XMLRPC, then disable all the other options. That’s one of the things I love about this plugin, everything is optional.
XMLRPC served us well in it’s day, but it’s day has come and gone. It’s time to let it retire gracefully. Until the WordPress core developers decide it is time to remove it, you need to protect yourself and your site by disabling it.
Comments ( 12 )
Thanks! Your comment will be held for moderation and will be shortly published, if it is related to this blog article. Comments for support inquiries or issues will not be published, if you have such please report it through
Huy Hoa
I'm wondering why the WordPress team doesn't remove it in core?
Gergana Zhecheva Siteground Team
For the time being, XMLRPC is still in use by a few plugins. We recommend disabling it, unless you are certain you need it for the proper functioning of your website.
Eli
This recent article talks about not needing to block XMLRPC file (see link below and navigate to the "NEW: Traffic validation that minimizes the number of brute-force attacks" section), so I am undecided on what to do (block it leave it alone). Additionally, some websites have XMLRPC type of file on directories other than in root. What are your recommendations for those other files? Article: https://www.siteground.com/blog/95-less-bad-traffic-with-enhanced-brute-force-prevention/?utm_medium=october2022&utm_source=clients_newsletter
Gergana Zhecheva Siteground Team
The answer to your question is - it depends. If you use the XMLRPC functionality, you do not need to disable it. If you do not use that file, you can disable it via the SiteGround Security plugin, Site Security menu. Usually, the file is located in the document root folder of your WordPress website, and you can also disable it (if needed) by renaming it. Regardless of its location, the principles are the same, and you first need to establish whether you need it to use it.
Dave
How do I ENABLE it? I am trying to set up a sandbox payment gateway on a SiteGround staging site and it appears as though this file is blocked by default. I have spent hours trying to find a way around this. For specific details, I am trying to connect WooCommerce Payments via JetPack. The error I receive is "JetPack requires your site https://staging.example.com to be publicly accessible". Any help would be greatly appreciated. Thank you
Gergana Zhecheva Siteground Team
Hello Dave, the file is enabled by default, yet it is inaccessible via the browser. We recommend reporting the issue directly to our Support, so that our reps can check what's blocking the connection and help you out further.
Neil Gonzalez
Great, but how do I enable xmlrpc I see that by default Siteground has it blocked globally. I cannot see in the htaccess or anywhere in the installation that xmlrpc is blocked. However, it's totally inaccessible to me. I would like to be able to securely use the feature not disable it globally without a choice. In my configuration, I have it limited access to the XMLRPC to the Jetpack servers only using Wordfence.
Gergana Zhecheva Siteground Team
Hello Neil, the file is not blocked by default on our hosting environment, yet if you are experiencing any issues with it, we recommend contacting our Support for checking your case further.
Mark S
I disabled it using the .htaccess file code snippet and it crashed my website. I did it for 3 of my websites using Multi site SFTP and once I inserted the code it crashed all 3 of my websites hosted on the go geek plan
Mila Kanazirska Siteground Team
Hello Mark, it will be best to report such cases directly to our support team so we can check for the reason. Here are the steps to get in touch if you still need to do it: https://stgrnd.co/contactus. We couldn't locate your account to check for previous support communication.
Kaylee
I want it to be accessible by Wordpress so I can use the Wordpress iPadOS app. But it seems it's having issues getting to the file. I have no clue as to why.
Gabriela Andonova Siteground Team
Thank you for your comment, Kaylee! Ensuring the security of your website is our top priority. To protect against potential exploits, we disable XML-RPC by default through our All-inclusive Security Solution plugin. However, if your site requires it to be accessible for a specific functionality, you can easily enable it in your site Dashboard -> SG Security plugin -> Site Security. For any further questions or assistance, don’t hesitate to contact our support team directly. We’re here to help.
Start discussion
Thanks! Your comment will be held for moderation and will be shortly published, if it is related to this blog article. Comments for support inquiries or issues will not be published, if you have such please report it through