The XML-RPC WordPress specification was developed to standardize communication between different systems, meaning that applications outside WordPress (such as other blogging platforms and desktop clients) could interact with WordPress.
This specification has been a part of WordPress since its inception and did a very useful job. Without it, WordPress would have been in its own silo, separated from the rest of the internet.
However, xmlrpc.php has its downsides. It can introduce vulnerabilities to your WordPress site and has now been superseded by the WordPress REST API, which does a much better job of opening up WordPress to other applications.
In this post, we’ll explain what xmlrpc.php is, why you should disable it, and help you identify whether it’s running on your WordPress site.
What Is xmlrpc.php?
XML-RPC is a specification that enables communication between WordPress and other systems. It did this by standardizing those communications, using HTTP as the transport mechanism and XML as the encoding mechanism.
XML-RPC predates WordPress: it was present in the b2 blogging software, which was forked to create WordPress back in 2003. The code behind the system is stored in a file called xmlrpc.php, in the root directory of the site. And it’s still there, even though XML-RPC is largely outdated.
In early versions of WordPress, XML-RPC was turned off by default. But since version 3.5, it’s been enabled by default. The main reason for this was to allow the WordPress mobile app to talk to your WordPress installation.
If you used the WordPress mobile app befo
Why You Should Disable xmlrpc.php
The main reason why you should disable xmlrpc.php on your WordPress site is because it introduces security vulnerabilities and can be the target of attacks.
Now that XML-RPC is no longer needed to communicate outside WordPress, there’s no reason to keep it active. That’s why it’s wise to make your site more secure by disabling it.
re version 3.5, you may recall having to enable XML-RPC on your site for the app to be able to post content. This was because the app wasn’t running WordPress itself; instead, it was a separate app communicating with your WordPress site using xmlrpc.php.
But it wasn’t just the mobile app that XML-RPC was used for: it was also used to allow communication between WordPress and other blogging platforms, it enabled trackbacks and pingbacks, and it powered the Jetpack plugin which links a self-hosted WordPress site to WordPress.com.
But since the REST API was integrated into WordPress core, the xmlrpc.php file is no longer used for this communication. Instead, the REST API is used to communicate with the WordPress mobile app, with desktop clients, with other blogging platforms, with WordPress.com (for the Jetpack plugin) and with other systems and services. The range of systems the REST API can interact with is much greater than the one allowed by xmlrpc.php. Also, there is much more flexibility.
Because the REST API has superseded XML-RPC, you should now disable xmlrpc.php on your site.
The reason for this is because one of the key features of WordPress will always be backward compatibility. If you’re managing your site well, you will know that keeping WordPress up-to-date, as well as any plugins or themes, is essential.
But there will always be website owners who are unwilling or unable to update their version of WordPress. If they are running a version that predates the REST API, they will still need access to xmlrpc.php.
DDoS Attacks via XML-RPC Pingbacks
One of the functions that xmlrpc.php enabled was pingbacks and trackbacks. These are the notifications that appear in the comments on your site when another blog or site links to your content.
The XML-RPC specification was what made this communication possible, but that’s been replaced by the REST API (as we saw already).
If XML-RPC is enabled on your site, a hacker could potentially mount a DDoS attack on your site by exploiting xmlrpc.php to send vast numbers of pingbacks to your site in a short time. This could overload your server and put your site out of action.
Brute Force Attacks via XML-RPC
Each time xmlrpc.php makes a request, it sends the username and password for authentication. This presents a significant security liability and is something that the REST API does not do. In fact, the REST API uses OAuth which sends tokens for authentication instead of usernames or passwords.
Because xmlrpc.php sends authentication information with every request, hackers could use it to try to access your site. A brute force attack like this might allow them to insert content, delete code, or damage your database.
If an attacker sends enough requests to your site, each with a different username and password pair, there is a chance they could eventually hit on the right one, giving them access to your site.
That’s why, if you are running an up-to-date version of WordPress, which uses the REST API to communicate with external systems, you should disable xmlrpc.php. It isn’t needed and it could be making your site vulnerable.
Is xmlrpc.php Running on Your WordPress Site?
The first thing you need to do is identify whether xmlrpc.php is running on your WordPress site.
This isn’t a simple case of checking whether the file is there: it’s part of every WordPress installation and will be present even if XML-RPC is disabled.
To check if xmlrpc.php is enabled on your site, use the WordPress XML-RPC Validation Service. This will check your site and tell you if xmlrpc.php is enabled.
So if you run the check and discover that xmlrpc.php is still enabled on your site, how do you turn it off?
How to Disable xmlrpc.php
How to Disable xmlrpc.php with a Plugin
Installing a plugin to disable xmlrpc.php is the easiest way to do this. The Disable XML-RPC plugin will disable it completely. Here’s how you use it.
Install the plugin via your Plugins screen in the WordPress admin, and activate it.
You don’t have to do anything else: activating the plugin will cause it to disable XML-RPC.
How to Disable xmlrpc.php Without a Plugin
If you’d rather not install another plugin on your site, you can disable xmlrpc.php by adding some code in a filter, or to your .htaccess file. Let’s look at both methods.
Disable xmlrpc.php via a Filter
An option here is to use the xmlrpc_enabled filter to disable xmlrpc.php. Add this function to a plugin and activate it on your site:
add_filter( 'xmlrpc_enabled', '__return_false' );
You could add this to your theme functions file but it’s better practice to write a plugin.
The other option has to do with editing your .htaccess file, which is available with hosting providers that use Apache, by connecting to your site’s server via FTP or cPanel.
Disable xmlrpc.php via the .htacess File
In your .htaccess file, add this code:
Deny from all
Make sure you make a copy of the old file before you do so, just in case you run into any issues.
For more guides on security for wordpress and other services go check out Oversight Network - Offensive Security