If offering your clients impregnable hosting security for their WordPress websites without lifting a finger sounds great, you’re going to love Block XML-RPC … our newest weapon against XML-RPC attacks!
Since its inception, WordPress has allowed users to interact remotely with their sites using a built-in feature called XML-RPC. This is not only wonderful for smartphone users who want to blog on the go … but hackers too!
In this article, we’ll cover everything you need to know about XML-RPC and show you how to easily and automatically protect WordPress sites hosted with WPMU DEV from hackers exploiting XML-RPC vulnerabilities using our latest hosting security tool.
We’ll also show you how to protect WordPress sites hosted elsewhere.
Read on or click on a link below to skip the basics and get to the good stuff:
The Basics:
The Good Stuff:
Let’s jump right in …
What Is XML-RPC?
XML-RPC is a remote procedure call (RPC) protocol that uses XML to encode its calls and HTTP as a transport mechanism.
In simple and practical terms, XML-RPC is used for enabling external applications to interact with your WordPress site. This includes actions like posting content, fetching posts, and managing comments remotely, without using the WordPress web interface.
WordPress supports XML-RPC through a file called xmlrpc.php
, which can be found in the root directory of every WordPress install. In fact, WordPress support for XML-RPC has been a part of WordPress even before WordPress officially became WordPress.
You can learn more about XML-RPC and WordPress on this post: XML-RPC and Why It’s Time to Remove it for WordPress Security.
What Is XML-RPC Used For?
If you need to access your WordPress website, but you’re nowhere near your computer, XML-RPC facilitates remote content management and integration with third-party applications and streamlines the process of managing WordPress sites without direct access to the admin dashboard.
WordPress users can benefit from using XML-RPC in areas like:
- Mobile Blogging: Publish posts, edit pages, and upload media files remotely using the WordPress mobile app or other mobile apps.
- Integration with Desktop Blogging Clients: Applications like Windows Live Writer or MarsEdit allow users to write and publish content from their desktops.
- Integration with Services: Make connections to services like IFTTT
- Remote Management Tools: Enable the management of multiple WordPress sites from a single dashboard.
- Trackbacks and Pingbacks used by other sites to refer to your site.
Despite losing its popularity to newer, more efficient, and more secure APIs built on standards like REST or GraphQL and no longer being supported by PHP from version 8.0 onward, XML-RPC is still widely used in WordPress as it is integrated into many existing systems.
XML-RPC and WordPress Security
If you are using the WordPress mobile app, want to make connections to services like IFTTT, or want to access and publish to your blog remotely, then you need XML-RPC enabled. Otherwise it’s just another portal for hackers to target and exploit.
Pros and Cons of Using XML-RPC
The pros of using XML-RPC are mostly convenience and efficiency.
Though most applications can use the WordPress API instead of XML-RPC, some may still require access to xmlrpc.php and use it to ensure backward compatibility with actively installed older versions.
It’s important, however, to know the cons of using XML-RPC.
Basically, XML-RPC is an outdated protocol with inherent security flaws.
These include:
- Security Risk: XML-RPC can be exploited for large scale brute force attacks, as it allows unlimited login attempts. Attackers have used XML-RPC functionality to execute widespread brute force attacks against WordPress sites. By leveraging the system.multicall method, attackers can test thousands of password combinations with a single request.
- Performance: XML-RPC can be a vector for DDoS attacks through the pingback feature, turning unsuspecting WordPress sites into bots against targeted domains, and potentially slowing down or crashing the site.
How to Check if XML-RPC is Enabled/Disabled on WordPress Sites
You can use an XML-RPC validation tool to check whether your WordPress site has XML-RPC enabled or disabled.
Enter your URL into the Address field and click the Check button.
FREE EBOOK
Your step-by-step roadmap to a profitable web dev business. From landing more clients to scaling like crazy.
FREE EBOOK
Plan, build, and launch your next WP site without a hitch. Our checklist makes the process easy and repeatable.
If XML-RPC is enabled, you will see a message like the one shown below.
As explained above, XML-RPC can make WordPress sites vulnerable to spam and cyber attacks.
This is why the best hosting companies block XML-RPC by default and why we recommend you should disable XML-RPC on your WordPress site(s), unless you have applications installed that require it to be enabled.
Let’s take a look, then, at a couple of options you can use to automatically disable XML-RPC on your site (see this post for a manual method that involves adding code to your .htaccess file).
Automate Your Hosting Security with WPMU DEV’s Block XML-RPC Tool
We’ve recently launched a hosting tool called Block XML-RPC that automatically blocks incoming requests on /xmlrpc.php
when enabled.
If the tool is disabled, your WordPress site will allow applications access to the /xmlrpc.php
file.
Note: New sites hosted on WPMU DEV are created with the Block XML-RPC tool enabled by default.
To access the tool and enable XML-RPC blocking on existing sites, go to The Hub and select the Hosting > Tools tab.
Click On/Off to toggle the feature and save your settings when done.
That’s it! Your site is now protected from XML-RPC exploits and attacks at the server level.
Not Hosted with WPMU DEV? We’ve Got You Covered
If your site is not hosted with WPMU DEV (tsk, tsk…), you can use our free Defender security plugin to disable XML-RPC.
The Disable XML-RPC feature is located in the plugin’s Recommendations section.
You can check if XML-RPC has been disabled in the Status section.
Note: WordPress plugins only block XML-RPC at the WordPress PHP level, so if an attack occurs, the request will still reach WordPress PHP, subsequently increasing server load.
In contrast, when you enable Block XML-RPC at the server level, the requests will never reach your site and return a “403 Forbidden” error message to the attackers.
For more information and detailed tutorials on the above, see these doc sections: Block XML-RPC tool (Hosting) and Disable XML RPC (Defender plugin).
R-E-S-P-E-C-T XML-RPC
Given the potential security risks, WordPress site owners should carefully consider whether the convenience offered by XML-RPC outweighs its vulnerabilities.
For WordPress sites that benefit from XML-RPC, we recommend implementing strong passwords, limiting login attempts, and using a security plugin like Defender to help mitigate the risks.
However, if the functionality is not needed and your sites run on any of our hosting plans, we strongly recommend disabling XML-RPC at the server level using the XML-RPC tool to further reduce the possibility of DDoS and brute force attacks.