WordPress: Why you may want to disable XML-RPC Support
I recently bought a new website to add to my website investment portfolio, moved it to a server after some initial testing, and have been running it on that server ever since. I noticed a couple of days ago that the site was timing out on page load times. Not always, but it happened from time to time which was cause for concern as I was not that familiar yet with the themes and plugins it used.
The site itself is powered by WordPress, and I started by going through plugin and theme settings to find a feature or setting that I could link to the time outs.
Turns out I could not. I contacted my hoster and they told me that this was caused by a spam attack that was using the XML-RPC (the RPC stands for Remote Procedure Call) feature.
XML-RPC for those who do not know about it is a remote publishing feature of WordPress. You can write your blog posts in third party software such as Windows Live Writer, Qumana or the cross-platform QTM, and publish it on the blog when you are done with it. It may also be used by pingbacks and trackbacks, as well as customized solutions.
Anyway, the solution that the server provider implemented blocked any request to the xmlrpc.php file on the server to return a forbidden message.
RedirectMatch 403 /xmlrpc.php
You can use the following code alternatively:
Deny from all
Just add this line to the end of your .htaccess file that is in your WordPress root directory to prevent access to the file. It is important that you only do so if xmlrpc is not used for anything.
You can alternatively use a filter to block it using the WordPress config file. To do so open wp-config.php and add
after the following line:
Note that doing so will not remove the line
from the page source code. Replace this domain name with yours to check it out.Â Spammers may still use the information to send spam and pingback to your blog, and WordPress still needs to handle it. That's why it is better to have the server handle this via .htaccess.
The second .htaccess option enables you to whitelist IP addresses that you want to allow access to the file. Simply use the following code to do so:
Deny from all
Allow from 987.654.321
You can add multiple allow from lines here and need to change the bogus IP used in the example to the one that you want to whitelist.
If you want to remove the pingback line in the source code, open the theme header file and remove the line from there. While that removes the line from the source code, spammers may still use the default location of the file to use it.