Wordpress: Why you may want to disable XML-RPC Support - gHacks Tech News

WordPress: Why you may want to disable XML-RPC Support

I recently bought a new website to add to my website investment portfolio, moved it to a server after some initial testing, and have been running it on that server ever since. I noticed a couple of days ago that the site was timing out on page load times. Not always, but it happened from time to time which was cause for concern as I was not that familiar yet with the themes and plugins it used.

The site itself is powered by WordPress, and I started by going through plugin and theme settings to find a feature or setting that I could link to the time outs.

Turns out I could not. I contacted my hoster and they told me that this was caused by a spam attack that was using the XML-RPC (the RPC stands for Remote Procedure Call) feature.

XML-RPC for those who do not know about it is a remote publishing feature of WordPress. You can write your blog posts in third party software such as Windows Live Writer, Qumana or the cross-platform QTM, and publish it on the blog when you are done with it. It may also be used by pingbacks and trackbacks, as well as customized solutions.

xmlrpc

Anyway, the solution that the server provider implemented blocked any request to the xmlrpc.php file on the server to return a forbidden message.

<IfModule mod_alias.c>

RedirectMatch 403 /xmlrpc.php

</IfModule>

You can use the following code alternatively:

<Files xmlrpc.php>

Order Deny,Allow

Deny from all

</Files>

Just add this line to the end of your .htaccess file that is in your WordPress root directory to prevent access to the file. It is important that you only do so if xmlrpc is not used for anything.

You can alternatively use a filter to block it using the WordPress config file. To do so open wp-config.php and add

add_filter('xmlrpc_enabled', '__return_false');

after the following line:

require_once(ABSPATH.'wp-settings.php');

Note that doing so will not remove the line

<link rel="" href="https://www.ghacks.net/xmlrpc.php" />

from the page source code. Replace this domain name with yours to check it out.  Spammers may still use the information to send spam and pingback to your blog, and WordPress still needs to handle it. That's why it is better to have the server handle this via .htaccess.

The second .htaccess option enables you to whitelist IP addresses that you want to allow access to the file. Simply use the following code to do so:

<Files xmlrpc.php>

Order Deny,Allow

Deny from all

Allow from 987.654.321

</Files>

You can add multiple allow from lines here and need to change the bogus IP used in the example to the one that you want to whitelist.

If you want to remove the pingback line in the source code, open the theme header file and remove the line from there. While that removes the line from the source code, spammers may still use the default location of the file to use it.

You find more information about this on Click Nathan and Deluxe Blog Tips.

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:

Comments

  1. Daniel said on September 12, 2013 at 1:31 am
    Reply

    Wow. You were reading my mind. I was having the same issue the past day or two. I could access my home page, but anything past that I got the “500 internal server” error. I added in your fix, no more issue. Thanks a bunch!

  2. Dario said on September 13, 2013 at 10:15 am
    Reply

    What if you simply rename xmlrpc.php to something else?

    1. Martin Brinkmann said on September 13, 2013 at 12:35 pm
      Reply

      Possible as well, but it will be readded when you update I believe.

  3. Kirstov said on July 7, 2017 at 12:38 am
    Reply

    hello Martin you can also deny the request by 403 Forbidden error too by the URL /xmlrpc.php

    example you can try on the plugin here:

    https://wordpress.org/plugins/disable-xml-rpc-littlebizzy/

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.