What Is xmlrpc.php In WordPress & Why Should You Disable It?

WordPress is the most popular web hosting platform in the world, responsible for powering a little over 40% of all websites on the internet. And a big part of what makes WordPress so popular is all the different features the platform offers.

However, not every WordPress feature is worth using, and some actually present more risks than benefits. Case in point: WordPress’s xmlrpc.php file.

This file is designed to allow remote procedure calls (RPCs) using XML. Unfortunately, it’s become a common WordPress security vulnerability for hackers to target. Let’s go over everything you need to know about this risky WordPress feature and why you may want to disable xmlrpc.php to keep your WordPress website secure.

What is the xmlrpc.php file?

The xmlrpc.php file in WordPress facilitates remote procedure calls (RPC) using XML. It essentially acts like a bridge between your WordPress site and external applications, allowing them to communicate with each other.

The xmlrpc.php file was originally introduced in the early days of WordPress to support the XML-RPC (Remote Procedure Call) protocol. Along with the XML-RPC API, this file enabled developers to create applications that could interact with WordPress websites remotely. One of xmlrpc.php’s primary applications back when it was first introduced was to allow mobile apps to interact with WordPress sites. Handling pingbacks (a type of comment that is created when one blog links to another) and enabling remote publishing were two other key functionalities of the xmlrpc.php file.

Common uses of xmlrpc.php

WordPress’s xmlrpc.php file may not be the most secure WordPress feature, but it does offer some benefits and uses. Some of the most common uses of xmlrpc.php include:

Pingback feature

Pingbacks are a way for website owners to be notified when another website links to their content. When one WordPress site links to another, a pingback is automatically generated and sent to the linked site. It’s essentially just a notification that lets you know someone else has linked to your webpage or blog.

One of the original purposes of the xmlrpc.php file was to facilitate these pingbacks; it’s designed to receive the pingback request from the linking site and process it to create a pingback comment on the site that’s being linked to.

Mobile app integration

One of the main uses of xmlrpc.php is to connect WordPress websites and mobile applications. By using the XML-RPC protocol, WordPress website owners can perform tasks such as retrieving posts, submitting new content, and managing comments, all via a mobile app.

Remote publishing

One nice feature of WordPress websites is that they allow website owners to publish and manage content from anywhere in the world. And the xmlrpc.php file played a key role in facilitating this by allowing users to access their WordPress dashboards remotely.

By using XML-RPC requests, users can create, edit, and delete posts, manage categories, and even moderate comments—all without needing direct access to the WordPress admin panel.

Security risks and vulnerabilities

WordPress’s xmlrpc.php file does have its benefits and helpful use cases. However, it also presents some considerable WordPress security risks and vulnerabilities that must be considered as well. This includes security risks such as:

Brute force attacks

Brute force attacks involve repeatedly attempting various username and password combinations to try and gain unauthorized access to a website. Unfortunately, there is a certain aspect of the WordPress xmlrpc.php file that makes it a prime target for these attacks.

Because xmlrpc.php allows multiple commands to be executed within a single request, hackers can exploit the file to attempt numerous login combinations rapidly. It essentially allows them to accelerate the process and bypass traditional rate-limiting mechanisms designed to protect against brute force attacks.

Distributed denial of service (DDoS) attacks

DDoS attacks are a crippling type of cyberattack that’s designed to overwhelm a website’s servers with illegitimate traffic so that the website is unable to process requests from legitimate users. And, once again, there’s a feature of xmlrpc.php that helps hackers execute these attacks.

By using the pingback feature within xmlrpc.php, hackers can easily send a large number of pingback requests to the target site, overwhelming the server and rendering the website inaccessible for as long as the DDoS attack persists.

Broader security issues

In addition to DDoS and brute force attacks, the xmlrpc.php file is associated with several other vulnerabilities and broader security issues, including:

• Cross-site scripting (XSS): Hackers can inject malicious scripts through poorly sanitized XML-RPC requests.

• SQL injection: Improper handling of XML-RPC data can allow hackers to manipulate database queries.

• Remote code execution: Exploiting flaws in xmlrpc.php can allow hackers to execute arbitrary code on the server.

The biggest benefit of the xmlrpc.php file is also its biggest problem when it comes to website security: it provides a capable interface for remote interactions, which is, unfortunately, an interface that malicious actors can sometimes access and exploit.

This isn’t all hypothetical, either. In fact, there are plenty of high-profile instances where hackers leveraged xmlrpc.php to cause a lot of damage. This includes a widespread campaign of brute force attacks exploiting xmlrpc.php that took place in 2015, a series of XML-RPC pingback attacks in 2016, and a cross-site scripting exploit in 2019 that allowed hackers to inject malicious scripts through XML-RPC requests.

Alternatives to xmlrpc.php

Given the security risks posed by xmlrpc.php, many website owners choose to disable it and use alternatives to fill its role instead. Thankfully, there’s one alternative available that offers many of the same benefits and functionalities as xmlrpc.php without the inherent security vulnerabilities: WordPress REST API.

Introduced in WordPress 4.7, REST API allows developers to interact with WordPress in a more standardized and flexible manner using JSON data formats. It provides endpoints for WordPress data types, enabling developers to create, read, update, and delete content remotely using HTTP requests.

Most importantly, WordPress REST API was designed with modern security practices in mind. It offers much more robust mechanisms for authentication and authorization, ensuring that only authorized users are allowed to remotely access the website.

Along with the REST API, website owners can also use various plugins to replace the functionality of the xmlrpc.php file. Jetpack, for example, is one plugin that leverages the REST API to provide functionalities, such as remote site management and remote publishing, in a way that’s secure and free of major vulnerabilities.

How to disable xmlrpc.php

The xmlrpc.php file is enabled by default on WordPress websites, which means you’ll need to disable it yourself if you decide you don’t want to use it. The good news is that disabling xmlrpc.php is a quick and easy process, and there are several ways you can do it:

Use .htaccess file

.htaccess is a configuration file that’s used by Apache-based web servers, and it can be used to block access to the xmlrpc.php file. To do this, use an FTP client or your web host's file manager to access your website’s root directory. Once you’re there, find the .htaccess file and open it in a text editor. You can then insert the following code and upload the .htaccess file back to the server to disable xmlrpc.php:

<Files xmlrpc.php>

Order deny,allow

Deny from all

</Files>

Use security plugins

Not comfortable with editing your WordPress website’s code? There are several security plugins that can help you disable xmlrpc.php without having to modify code manually. This includes WordPress plugins such as:

• Disable XML-RPC

• Wordfence Security

• iThemes Security

• All In One WP Security & Firewall

With any one of these plugins, you can disable the xmlrpc.php file with a few clicks of your mouse; no coding is required.

Use FTP or cPanel

Using FTP or CPanel, you can disable xmlrpc.php by removing or renaming the file and making it inaccessible to requests. To do this, open your root directory using either FTP or cPanel and locate the xmlrpc.php file. Right-click on the file to either rename or delete. Doing either one of these things will disable it.

Modify the functions.php file

The final method for disabling xmlrpc.php is to add a snippet of code to your theme's functions.php file. Use an FTP client or your web host's file manager to navigate to your theme’s directory, typically located at /wp-content/themes/your-theme/. Once you find the functions.php file, open it in a text editor and add this line of code:

add_filter('xmlrpc_enabled', '__return_false');

You can then save the changes and upload the file back to your server, and xmlrpc.php will be disabled.

Additional security measures

Disabling xmlrpc.php can eliminate some risky security vulnerabilities, but it’s far from the only practice necessary to secure a WordPress website. Along with disabling the xmlrpc.php file, here are some additional security measures to consider:

Implement a firewall

A web application firewall (WAF) is designed to monitor network traffic and block any suspicious requests. These firewalls offer excellent protection against a wide range of cyber threats, including SQL injection, cross-site scripting, DDoS attacks, and more.

Restrict access by IP addresses

If you don’t want to disable xmlrpc.php, you can shore up a lot of the vulnerabilities it creates by restricting access to the file based on IP address. This ensures that only authorized users can access the file.

To restrict access to xmlrpc.php, use an FTP client or your web host's file manager to navigate to the root directory of your WordPress installation. Open the .htaccess file in a text editor, and add the following code:

<Files xmlrpc.php>

Order deny,allow

Deny from all

Allow from <INSERT THE IP ADDRESS YOU WANT TO ALLOW ACCESS>

Allow from <INSERT ADDITIONAL ALLOWED IP ADDRESS>

</Files>

Secure your WordPress site with SiteLock

Disabling xmlrpc.php is just one of the many steps that WordPress website owners need to take to improve website security. Thankfully, SiteLock’s comprehensive suite of WordPress security tools and services makes all the other steps easy.

With a SiteLock website security plan, you get automated malware detection, malware removal, vulnerability patching, and more all rolled into one package.

To learn more about how SiteLock’s WordPress security services can help keep your site safe and secure, feel free to contact us today!

Image by freepik