Undetectable Humanizer: Lifetime Subscription
Transform AI-Generated Text into Human-Like, High-Ranking Content & Bypass Even the Most Sophisticated AI Detectors
Get 95% Deal

WordPress: Why you may want to disable XML-RPC Support

Martin Brinkmann
Sep 11, 2013
Development
|
5

I recently bought a new website to add to my website investment portfolio, moved it to a server after some initial testing, and have been running it on that server ever since. I noticed a couple of days ago that the site was timing out on page load times. Not always, but it happened from time to time which was cause for concern as I was not that familiar yet with the themes and plugins it used.

The site itself is powered by WordPress, and I started by going through plugin and theme settings to find a feature or setting that I could link to the time outs.

Turns out I could not. I contacted my hoster and they told me that this was caused by a spam attack that was using the XML-RPC (the RPC stands for Remote Procedure Call) feature.

XML-RPC for those who do not know about it is a remote publishing feature of WordPress. You can write your blog posts in third party software such as Windows Live Writer, Qumana or the cross-platform QTM, and publish it on the blog when you are done with it. It may also be used by pingbacks and trackbacks, as well as customized solutions.

Anyway, the solution that the server provider implemented blocked any request to the xmlrpc.php file on the server to return a forbidden message.

<IfModule mod_alias.c>

RedirectMatch 403 /xmlrpc.php

</IfModule>

You can use the following code alternatively:

<Files xmlrpc.php>

Order Deny,Allow

Deny from all

</Files>

Just add this line to the end of your .htaccess file that is in your WordPress root directory to prevent access to the file. It is important that you only do so if xmlrpc is not used for anything.

You can alternatively use a filter to block it using the WordPress config file. To do so open wp-config.php and add

add_filter('xmlrpc_enabled', '__return_false');

after the following line:

require_once(ABSPATH.'wp-settings.php');

Note that doing so will not remove the line

<link rel="pingback" href="https://www.ghacks.net/xmlrpc.php" />

from the page source code. Replace this domain name with yours to check it out.  Spammers may still use the information to send spam and pingback to your blog, and WordPress still needs to handle it. That's why it is better to have the server handle this via .htaccess.

The second .htaccess option enables you to whitelist IP addresses that you want to allow access to the file. Simply use the following code to do so:

<Files xmlrpc.php>

Order Deny,Allow

Deny from all

Allow from 987.654.321

</Files>

You can add multiple allow from lines here and need to change the bogus IP used in the example to the one that you want to whitelist.

If you want to remove the pingback line in the source code, open the theme header file and remove the line from there. While that removes the line from the source code, spammers may still use the default location of the file to use it.

You find more information about this on Click Nathan and Deluxe Blog Tips.

Advertisement

Previous Post: «
Next Post: «

Comments

  1. Luis said on March 31, 2019 at 5:03 pm
    Reply

    For WordPress, the odd side is that you can’t use WLR or OLW. Posting from the admin editor is an annoyance really.
    Since most bloggers do not use a fixed IP, maybe the solution is some sort of password to access xmlrpc.php.

  2. Kirstov said on July 7, 2017 at 12:38 am
    Reply

    hello Martin you can also deny the request by 403 Forbidden error too by the URL /xmlrpc.php

    example you can try on the plugin here:

    https://wordpress.org/plugins/disable-xml-rpc-littlebizzy/

  3. Dario said on September 13, 2013 at 10:15 am
    Reply

    What if you simply rename xmlrpc.php to something else?

    1. Martin Brinkmann said on September 13, 2013 at 12:35 pm
      Reply

      Possible as well, but it will be readded when you update I believe.

  4. Daniel said on September 12, 2013 at 1:31 am
    Reply

    Wow. You were reading my mind. I was having the same issue the past day or two. I could access my home page, but anything past that I got the “500 internal server” error. I added in your fix, no more issue. Thanks a bunch!

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.