XMLRPC.PHP in WordPress and Should it be disabled?


In a perfect world, all of the systems and tools you use to create and maintain your WordPress sites would be both convenient and secure. Unfortunately, that isn’t always the case.

XML-RPC is useful for enabling remote connections between various external applications and WordPress. On the other hand, disabling this feature can help improve your site’s security. Plus, unless you belong to a specific category of WordPress users, there’s a good chance you won’t even miss it.

In this post, we’ll explain what xmlrpc.php is, how it’s used, and why you might want to disable it. Then we’ll show you how to turn it off both via a plugin and manually. Let’s get started!

What Is xmlrpc.php?

XML-RPC is a feature included in WordPress, which enables data to be transmitted. It uses HTTP as the transport mechanism and XML as the encoding mechanism. Simply put, xmlrpc.php lets you access your website from custom admin software and mobile applications, rather than through a browser.

Why You Should Disable xmlrpc.php

The problem is that xmlrpc.php poses a security risk. It creates an additional access point to your site, which could leave it vulnerable to external attacks. Every time you authenticate XML-RPC, you need to supply your username and password. As you can imagine, this isn’t exactly ideal for security purposes.

For example, in order to prevent brute force attacks, you can limit login attempts on your WordPress site. However, with XML-RPC enabled, that limit does not exist. There’s no capping on login attempts, which means it’s only a matter of time before a determined cybercriminal gains access.

By disabling the feature, you are closing a potential area of entry for hackers. Of course, without XML-RPC, remote access isn’t possible. You would need to log in directly to WordPress for publishing and updating purposes. Therefore, if mobile apps and remote software are the methods you rely on for site updates, turning this feature off may not be a practical option.

However, if security is your top priority, this may be a step you want to consider. Additionally, if remote connections aren’t something you deal with on a day-to-day basis, you likely won’t miss the feature when it’s gone. In this situation, you have nothing to lose and only an added layer of security to gain.

As we’ll discuss below, there are different methods you can use to disable xmlrpc.php. It’s important to keep in mind, however, that disabling this feature doesn’t have to be permanent. If you need to turn the feature back on, you can do so easily by simply reversing the process.

How to Disable xmlrpc.php Manually

What if you want to avoid using a plugin, and prefer instead to disable xmlrpc.php manually? This will prevent all xmlrpc.php requests from reaching WordPress, and isn’t particularly difficult. You can do so by following these two steps.

Step 1: Insert Code into Your .htaccess File 

First, locate and open your .htaccess file in the root folder of your site. Once you have the file ready, insert the following code:

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from

If there’s a specific IP address you want to allow xmlrpc.php access for, you can replace in the snippet above. Otherwise, you can remove the fifth line entirely. When you’re done, save your changes

Verify and Monitor the Changes

The above step is all that’s required to successfully disable xmlrpc.php on your WordPress site. However, it doesn’t hurt to verify that the feature has been properly configured.

To do this, you can use a tool such as the WordPress XML-RPC validator


Post Original Author: wpengine.com

Leave a Comment