XML-RPC is a specification that enables communication between WordPress and other systems. It did this by standardizing those communications, using HTTP as the transport mechanism and XML as the encoding mechanism.
XML-RPC predates WordPress: it was present in the b2 blogging software, which was forked to create WordPress back in 2003. The code behind the system is stored in a file called xmlrpc.php, in the root directory of the site. And it’s still there, even though XML-RPC is largely outdated.
In early versions of WordPress, XML-RPC was turned off by default. But since version 3.5, it’s been enabled by default. The main reason for this was to allow the WordPress mobile app to talk to your WordPress installation.
If you used the WordPress mobile app before version 3.5, you may recall having to enable XML-RPC on your site for the app to be able to post content. This was because the app wasn’t running WordPress itself; instead, it was a separate app communicating with your WordPress site using xmlrpc.php.
But it wasn’t just the mobile app that XML-RPC was used for: it was also used to allow communication between WordPress and other blogging platforms, it enabled trackbacks and pingbacks, and it powered the Jetpack plugin which links a self-hosted WordPress site to WordPress.com.
But since the REST API was integrated into WordPress core, the xmlrpc.php file is no longer used for this communication. Instead, the REST API is used to communicate with the WordPress mobile app, with desktop clients, with other blogging platforms, with WordPress.com (for the Jetpack plugin) and with other systems and services. The range of systems the REST API can interact with is much greater than the one allowed by xmlrpc.php. Also, there is much more flexibility.
Because the REST API has superseded XML-RPC, you should now disable xmlrpc.php on your site. Let’s see why.
Why You Should Disable xmlrpc.php
The main reason why you should disable xmlrpc.php on your WordPress site is because it introduces security vulnerabilities and can be the target of attacks.
Now that XML-RPC is no longer needed to communicate outside WordPress, there’s no reason to keep it active. That’s why it’s wise to make your site more secure by disabling it.
The reason for this is because one of the key features of WordPress will always be backward compatibility. If you’re managing your site well, you will know that keeping WordPress up-to-date, as well as any plugins or themes, is essential.
But there will always be website owners who are unwilling or unable to update their version of WordPress. If they are running a version that predates the REST API, they will still need access to xmlrpc.php.
Let’s look at the specific vulnerabilities in more detail.