Tags for this FAQ item:
security Firewall Wordpress

To what extent has this article answered your question?

Rated 5 stars, based on 3 votes

Why you should disable XML-RPC in Wordpress...

Last updated: 07/06/2018

This article explains how you can optimize Wordpress to prevent it from being attacked through the xml-rpc.php vulnerability.

The XML-RPC (XML Remote Procedure Call) functionality in Wordpress has become a backdoor for anyone trying to exploit a Wordpress installation.
Although Wordpress is an extremely user-friendly and accessible Content Management System, we do advice to enhance the security of your Wordpress site with some minor but effective tweaks.
Besides... did you know that the Kinamo webhosting platform by default comes with a web application firewall (WAF), which already rules out a lot of these culprits?

Please also be aware that you should keep your Wordpress installation up to date!
You have no clue on how to do this? Please ask our help, our team is ready!

Updating a website with a single command triggered remotely. Sounds awesome... unfortunately it also sounds like a big red flag with the letters "hack me" painted in white, and that's exactly what happened with the XML-RPC function in Wordpress.

The initial idea behind the function was great, but soon it became clear that XML-RPC was going to be abused by hackers, scripts, bots... anything trying to access your Wordpress website.
Before version 3.5 there was no problem, the functionality was disabled by default, however nowadays, the function is turned on by default!
It is without doubt one of the most abused functions on a hosting platform and we can easily state that of the 1% "correct" requests, there are 99% faulty ones from bots, scripts, hackers,... all trying to fry your Wordpress installation by using XML-RPC DDoS attacks.

Let's hope you are convinced of the "non" purpose of this function. If however you are 100% sure you need it, please ignore the rest of this article!
If you are a "believer" and you have doubts on the necessity for xml-rpc, use one of the possibilities below to disable XML-RPC.

But first... let's demystify one thing: simply removing xml-rpc.php will not help, in fact the next update the file will be back (or worse, your updates fail because the file is missing) and on the other side you will "move" the faulty requests to trigger a 404 error (page not found) which will cause as much load on the webserver as the initial request, so it is not a solution!

This is the easy way. The Disable XML-RPC plugin allows you to turn off the functionality. We admit, it is less sexy and nerdy, but it does the job!

The Pingback functionality (that uses XML-RPC) is best turned off. Turning it off will not solve the problem, but is best practise. If you used the plugin above, also turn off the pingbacks.
This can be done in the Wordpress dashboard in Wordpress, Settings "Allow link notifications from other blogs (pingbacks and trackbacks) on new articles".

The best way is still removing the requests at webserver level. On Apache this can be done with the following content in your .htaccess file:

## block XML-RPC requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

For NGinx server you can add the following code to the configuration:

## block XML-RPC requests
location = /xmlrpc.php {
deny all;
}

We prefer the last step, since it already blocks the request even before the code is executed.

Please do keep in mind that the Kinamo Webhosting platform comes with web application firewalling (WAF) by default, it already blocks a majority of malicious requests. In other words, your website is in safe hands at the Kinamo hosting platform!