Why you should disable XML-RPC in Wordpress...

Last updated on 06 Sep 2023, 13:13:54.
Category: All about web hosting | Webhosting settings

beveiliging Firewall Wordpress

The XML-RPC (XML Remote Procedure Call) functionality in Wordpress has become a backdoor for anyone trying to exploit a Wordpress installation.
Although Wordpress is an extremely user-friendly and accessible Content Management System, we do advice to enhance the security of your Wordpress site with some minor but effective tweaks.
Besides... did you know that the Kinamo webhosting platform by default comes with a web application firewall (WAF), which already rules out a lot of these culprits?

Please also be aware that you should keep your Wordpress installation up to date!
You have no clue on how to do this? Please ask our help, our team is ready!

What is Wordpress XML-RPC?

Updating a website with a single command triggered remotely. Sounds awesome... unfortunately it also sounds like a big red flag with the letters "hack me" painted in white, and that's exactly what happened with the XML-RPC function in Wordpress.

The initial idea behind the function was great, but soon it became clear that XML-RPC was going to be abused by hackers, scripts, bots... anything trying to access your Wordpress website.
Before version 3.5 there was no problem, the functionality was disabled by default, however nowadays, the function is turned on by default!
It is without doubt one of the most abused functions on a hosting platform and we can easily state that of the 1% "correct" requests, there are 99% faulty ones from bots, scripts, hackers,... all trying to fry your Wordpress installation by using XML-RPC DDoS attacks.

How can you disable XML-RPC in Wordpress?

Let's hope you are convinced of the "non" purpose of this function. If however you are 100% sure you need it, please ignore the rest of this article!
If you are a "believer" and you have doubts on the necessity for xml-rpc, use one of the possibilities below to disable XML-RPC.

But first... let's demystify one thing: simply removing xml-rpc.php will not help, in fact the next update the file will be back (or worse, your updates fail because the file is missing) and on the other side you will "move" the faulty requests to trigger a 404 error (page not found) which will cause as much load on the webserver as the initial request, so it is not a solution!

Using the Disable XML-RPC plugin

This is the easy way. The Disable XML-RPC plugin allows you to turn off the functionality. We admit, it is less sexy and nerdy, but it does the job!

Disable PingBacks/Tracebacks

The Pingback functionality (that uses XML-RPC) is best turned off. Turning it off will not solve the problem, but is best practise. If you used the plugin above, also turn off the pingbacks.
This can be done in the Wordpress dashboard in Wordpress, Settings "Allow link notifications from other blogs (pingbacks and trackbacks) on new articles".

Disable XML-RPC at webserver level

The best way is still removing the requests at webserver level. On Apache this can be done with the following content in your .htaccess file:

## block XML-RPC requests
<Files xmlrpc.php>
order deny,allow
deny from all

For NGinx server you can add the following code to the configuration:

## block XML-RPC requests
location = /xmlrpc.php {
 deny all;

We prefer the last step, since it already blocks the request even before the code is executed.

Please do keep in mind that the Kinamo Webhosting platform comes with web application firewalling (WAF) by default, it already blocks a majority of malicious requests. In other words, your website is in safe hands at the Kinamo hosting platform!

Related articles

Kinamo mail server settings (mail server cheat sheet)

The following article provides the basic settings and server names (domain names) for the Kinamo mail infrastructure. These settings allow...

Read more

Create an automatic SPAM filter in the Kinamo Webmail

This article explains how you may create a filter that will automatically place SPAM messages in a special folder, so...

Read more

Order an SSL certificate? What is an SSL certificate?

You need to order an SSL certificate? But what is an SSL certificate? And why is everyone saying that it...

Read more

Need extra help?

Were not all your questions answered?
Don't worry, we will be happy to help you via a support request!

Select your language

All languages: