If you are here searching for ways to disable XML-RPC to secure your website from WordPress XML-RPC exploit, you are in the right place. But before that, you need to know the answers to these questions.
- What is XML-RPC.php?
- How can an XML-RPC exploit put your website at risk?
- Is disabling XML-RPC exploit going to solve everything?
- What can be the alternative to disabling the XML-RPC feature?
Through this article, we will try to give answers to all these questions and a lot more.
What is XML-RPC?
WordPress XML-RPC is an API (application program interface) that enables the transfer of data between your WordPress website and other systems.
Although it is now largely being replaced by the REST API released by WordPress, it is still used for backward compatibility. That is, XML-RPC is meant for the websites that are still using the older versions of WordPress.
If you are using an older version, we strongly recommend updating it. Running an older version of a WordPress website can do you more harm than hackers trying to launch brute-force attacks through XML-RPC.
Related Guide – The Ultimate WordPress hack removal guide
XML-RPC can put your website at risk
By exploiting the following known vulnerabilities, XML-RPC can put your website at risk:
DDoS attacks via pingbacks and trackbacks
Apart from the data transfer, xmplrpc.php is also responsible for enabling the pingbacks and trackbacks. These are the notifications that you receive when a blog or a third-party website links to your website.
Although it has been replaced, some websites still use XML-RPC.php for backward compatibility. If you are one of them, hackers can launch DDoS attacks on xmlrpc.php by sending a large number of pingbacks and put your site out of action or you can say – make it unavailable for your users.
Brute-force attacks via XML-RPC
XML-RPC (XML-remote processing call) allows encoded remote calls transported via HTTP that enables you to remotely post, edit, or delete a file or content from your WordPress website. With each request, xmplrpc.php sends the authentication information. It makes it easier to push a large amount of data at one time.
But the ability to push a large amount of data at one time implies that even hackers can also sneak-in a number of passwords to it. If a hacker sends enough authentication requests with a different combination of username and password, they might get it right eventually, and as in result, your site gets compromised.
How to check if xmlrpc.php is running on a website or not?
Before jumping on the disabling of XML-RPC, first of all, you need to check whether or not xmlrpc.php is running on your website.
You can check if the API is enabled on your website or not via WordPress XML-RPC Validation Service.
If you discover that xmlrpc.php is still running on your website, skip to the next section and follow the instructions carefully.
How to disable XML-RPC service?
1. Disable XML-RPC via a plugin
Download the WP security hardening plugin from the WordPress plugins directory. Login to your WordPress backend, navigate to Plugins>>Add New and upload the plugin file. Once uploaded, activate the plugin. It’ll reflect on the left bottom of your WP dashboard.
Then, follow these steps to disable XML-RPC with the WP-Hardening plugin:
- Go to the ‘WP Hardening’ icon.
- Select the ‘Security fixes’ tab in the plugin.
- And toggle the key next to the option ‘Disable XML-RPC’ and you’re done/.
Other than disabling xmlrpc.php, you can also use the WP security hardening plugin to secure several other security areas on your website including – changing admin URL, Disabling file editor, Disabling WP-JSON, hiding important files, stopping user enumeration, and so on. Follow this knowledge base to learn more about WP-Hardening configurations.
2. Disable XML-RPC without a plugin
- Via a filter: You can use the xmlrpc_enabled filter to disable this service on your WordPress website. All you have to do is add the following code to a plugin and you are good to go:
add_filter( ‘xmlrpc_enabled’, ’_return_false’ );
- Via .htaccess file: Add these codes to the .htaccess file of your WordPress website:
<Files xmlrpc.php> Order Allow, Deny Deny from all </Files>
We know you must have heard it a lot of times, but before trying to perform any task manually, take backups of all the important files. It may come in handy when you make a mistake or when your website is hacked.
Although we did explain the process to disable xmlrpc.php, it is not always a wise solution to all the problems. One way or another, a hacker will find some other vulnerability in your website to exploit.
Related Guide – WordPress Malware Removal
We recommend that you install a security firewall to block all the hacking attempts made by bots and hackers.
With the help of Astra’s security firewall, you can block all the attempts of XSS, CSRF, SQLi, etc. With 24*7 customer support, you will be able to implement all the missing security practices on your website.