What Is xmlrpc.php In WordPress & Why Should You Disable It?

However, not every WordPress feature is worth using, and some actually present more risks than benefits. One example is the WordPress xmlrpc.php file.

This file is designed to allow remote procedure calls (RPCs) using XML, but it’s become a common WordPress security vulnerability for hackers to target. We’ll look at what makes this feature risky and why disabling xmlrpc.php can help protect your WordPress site.

What is the xmlrpc.php file?

The xmlrpc.php file in WordPress facilitates remote procedure calls using XML. It acts as a bridge between your WordPress site and external applications, using XML data with standardized encoding, typically UTF-8, to structure and exchange information between servers.

The xmlrpc.php file was originally introduced in the early days of WordPress to support the XML-RPC (Remote Procedure Call) protocol. Along with the XML-RPC API, this file enabled developers to create applications that could interact with WordPress websites remotely.

One of xmlrpc.php’s original purposes was to allow mobile apps to interact with WordPress sites. Handling pingbacks (a type of comment that is created when one blog links to another) and enabling remote publishing were two key functionalities.

Common uses of xmlrpc.php

WordPress’s xmlrpc.php file may not be the most secure feature, but it does provide some useful functionality. Common uses include:

Pingback feature

Pingbacks let site owners know when another website links to their content. When one WordPress site links to another, a pingback is automatically generated and sent to the linked site as a notification.

One of the original purposes of the xmlrpc.php file was to facilitate these pingbacks. It handled these requests by receiving and processing them to create a pingback comment on the linked site.

Mobile app integration

Another major use of xmlrpc.php is to connect WordPress websites with mobile applications. By using the XML-RPC protocol, WordPress website owners can perform tasks such as retrieving posts, submitting new content, and managing comments, all via their mobile device.

Remote publishing

The xmlrpc.php file also enables website owners to publish and manage content from anywhere. By using XML-RPC requests, users can create, edit, and delete posts, manage categories, and even moderate comments—all without needing direct access to the WordPress admin panel.

While these use cases can be convenient, they also open potential entry points for attackers.

xmlrpc.php security risks and vulnerabilities

Although the xmlrpc.php file offers some useful functionality, it introduces several security risks that WordPress site owners should be aware of. While most of these risks stem from WordPress’s built-in xmlrpc.php endpoint, they can also appear in outdated plugins or external publishing tools that still rely on XML-RPC and haven’t been properly maintained

This includes security risks such as:

Brute force attacks

Brute force attacks involve repeatedly attempting various username and password combinations to try to gain unauthorized access to a website. Unfortunately, there is a certain aspect of the WordPress xmlrpc.php file that makes it a prime target for these attacks.

Because xmlrpc.php allows multiple commands to be executed within a single request, hackers can exploit the file to attempt numerous login combinations rapidly. This makes brute force attacks far more efficient and harder to detect, which is why many security experts recommend disabling xmlrpc.php or limiting access to it entirely.

Distributed denial of service (DDoS) attacks

DDoS attacks are a crippling type of cyberattack that’s designed to overwhelm a website’s servers with illegitimate traffic so that the website is unable to process requests from legitimate users. And, once again, there’s a feature of xmlrpc.php that helps hackers execute these attacks.

By exploiting the pingback feature in xmlrpc.php, attackers can trigger large numbers of pingback requests to a targeted site, flooding the server with traffic and making it temporarily inaccessible.

Broader security issues

In addition to DDoS and brute force XML-RPC attacks, the xmlrpc.php file is associated with several other vulnerabilities and broader security issues, including:

• Cross-site scripting (XSS): Hackers can inject malicious scripts through poorly sanitized XML-RPC requests.
• SQL injection: Improper handling of XML-RPC data can allow hackers to manipulate database queries.
• Remote code execution: Exploiting flaws in xmlrpc.php can allow hackers to execute arbitrary code on the server.

It’s worth noting that some of these vulnerabilities only affected older software. For example, WordPress versions prior to 1.5.1.3 were vulnerable to an XML-RPC–related SQL injection flaw, which has long since been patched.

The biggest benefit of the xmlrpc.php file is also its biggest problem when it comes to website security: it provides a capable interface for remote interactions, which is, unfortunately, an interface that malicious actors can sometimes access and exploit.

This isn’t all hypothetical, either. In fact, there are plenty of high-profile instances where hackers leveraged xmlrpc.php to cause a lot of damage. This includes a widespread campaign of brute force attacks exploiting xmlrpc.php that took place in 2015, a series of XML-RPC pingback attacks in 2016, and a cross-site scripting exploit in 2019 that allowed hackers to inject malicious scripts through XML-RPC requests.

Are there alternatives to xmlrpc.php?

Given the security risks posed by xmlrpc.php, many website owners choose to disable it and use alternatives to fill its role instead. Thankfully, there’s one alternative available that now fully replaces xmlrpc.php for most modern WordPress sites and offers many of the same benefits and functionalities without the inherent security vulnerabilities: the WordPress REST API.

Introduced in WordPress 4.7, the REST API allows developers to interact with WordPress in a more standardized and flexible manner using JSON data formats. It provides endpoints for WordPress data types, enabling developers to create, read, update, and delete content remotely using HTTP requests.

Most importantly, the WordPress REST API was designed with modern security practices in mind. It offers more robust authentication and access control, ensuring that only authorized users are allowed to remotely access the website.

Along with the REST API, website owners can also use various plugins to replace the functionality of the xmlrpc.php file. Jetpack, for example, is one plugin that leverages the REST API to provide functionalities, such as remote site management and remote publishing, in a way that’s secure and free of major vulnerabilities.

How do you disable xmlrpc.php in WordPress?

The xmlrpc.php file is enabled by default on WordPress websites, which means you’ll need to disable it yourself if you decide you don’t want to use it. The good news is that disabling xmlrpc.php is a quick and easy process, and there are several ways you can do it:

Use .htaccess file

.htaccess is a configuration file that’s used by Apache-based web servers, and it can be used to block access to the xmlrpc.php file. To do this, use an FTP client or your web host's file manager to access your website’s root directory. Once you’re there, find the .htaccess file and open it in a text editor. You can then insert the following code and upload the .htaccess file back to the server to disable xmlrpc.php:

<Files xmlrpc.php>

Order deny,allow

Deny from all

</Files>

Use security plugins

Not comfortable with editing your WordPress website’s code? There are security plugins available that allow you to disable xmlrpc.php or block XML-RPC requests with just a few clicks. For example, the Disable XML-RPC plugin lets you turn off or restrict the feature without modifying any code manually.

Use FTP or cPanel

Using FTP or CPanel, you can disable xmlrpc.php by removing or renaming the file and making it inaccessible to requests. To do this, open your root directory using either FTP or cPanel and locate the xmlrpc.php file. Right-click on the file to either rename or delete. Doing either one of these things will disable it.

Modify the functions.php file

The final method for disabling xmlrpc.php is to add a snippet of code to your theme's functions.php file. Use an FTP client or your web host's file manager to navigate to your theme’s directory, typically located at /wp-content/themes/your-theme/. Once you find the functions.php file, open it in a text editor and add this line of code:

add_filter('xmlrpc_enabled', '__return_false');

You can then save the changes and upload the file back to your server, and xmlrpc.php will be disabled.

Once you’ve disabled it, use a free tool like XML-RPC Validator to confirm that the file is no longer accessible.

Additional security measures

Disabling xmlrpc.php can eliminate some risky security vulnerabilities, but it’s far from the only practice necessary to secure a WordPress website. Along with disabling the xmlrpc.php file, here are some additional security measures to consider:

Implement a firewall

A web application firewall (WAF) is designed to monitor network traffic and block any suspicious requests. These firewalls offer excellent protection against a wide range of cyber threats, including SQL injection, cross-site scripting, DDoS attacks, and more.

Restrict access by IP addresses

If you don’t want to disable xmlrpc.php, you can shore up a lot of the vulnerabilities it creates by restricting access to the file based on IP address. This ensures that only authorized users can access the file.

To restrict access to xmlrpc.php, use an FTP client or your web host's file manager to navigate to the root directory of your WordPress installation. Open the .htaccess file in a text editor, and add the following code:

<Files xmlrpc.php>

Order deny,allow

Deny from all

Allow from <INSERT THE IP ADDRESS YOU WANT TO ALLOW ACCESS>

Allow from <INSERT ADDITIONAL ALLOWED IP ADDRESS>

</Files>

Secure your WordPress site with SiteLock

Disabling xmlrpc.php is just one of the many steps that WordPress website owners need to take to improve cybersecurity. SiteLock’s comprehensive suite of WordPress security tools and services makes all the other steps easy.

With a SiteLock website security plan, you get automated malware detection, malware removal, vulnerability patching, and continuous monitoring, all integrated into one easy solution.

To learn more about how SiteLock’s WordPress security services can help keep your site safe and secure, contact us today.

Image by freepik