XML-RPC is a specification that enables communication between WordPress and other systems. It did this by standardizing those communications, using HTTP as the transport mechanism and XML as the encoding mechanism.
XML-RPC predates WordPress: it was present in the b2 blogging software, which was forked to create WordPress back in 2003. The code behind the system is stored in a file called xmlrpc.php, in the root directory of the site. And it’s still there, even though XML-RPC is largely outdated.
In early versions of WordPress, XML-RPC was turned off by default. But since version 3.5, it’s been enabled by default. The main reason for this was to allow the WordPress mobile app to talk to your WordPress installation.
If you used the WordPress mobile app before version 3.5, you may recall having to enable XML-RPC on your site for the app to be able to post content. This was because the app wasn’t running WordPress itself; instead, it was a separate app communicating with your WordPress site using xmlrpc.php.
But it wasn’t just the mobile app that XML-RPC was used for: it was also used to allow communication between WordPress and other blogging platforms, it enabled trackbacks and pingbacks, and it powered the Jetpack plugin which links a self-hosted WordPress site to WordPress.com.
But since the REST API was integrated into WordPress core, the xmlrpc.php file is no longer used for this communication. Instead, the REST API is used to communicate with the WordPress mobile app, with desktop clients, with other blogging platforms, with WordPress.com (for the Jetpack plugin) and with other systems and services. The range of systems the REST API can interact with is much greater than the one allowed by xmlrpc.php. Also, there is much more flexibility.
Because the REST API has superseded XML-RPC, you should now disable xmlrpc.php on your site. Let’s see why.
Why You Should Disable xmlrpc.php
The main reason why you should disable xmlrpc.php on your WordPress site is because it introduces security vulnerabilities and can be the target of attacks.
Now that XML-RPC is no longer needed to communicate outside WordPress, there’s no reason to keep it active. That’s why it’s wise to make your site more secure by disabling it.
The reason for this is because one of the key features of WordPress will always be backward compatibility. If you’re managing your site well, you will know that keeping WordPress up-to-date, as well as any plugins or themes, is essential.
But there will always be website owners who are unwilling or unable to update their version of WordPress. If they are running a version that predates the REST API, they will still need access to xmlrpc.php.
Let’s look at the specific vulnerabilities in more detail.
DDoS Attacks via XML-RPC Pingbacks
One of the functions that xmlrpc.php enabled was pingbacks and trackbacks. These are the notifications that appear in the comments on your site when another blog or site links to your content.
The XML-RPC specification was what made this communication possible, but that’s been replaced by the REST API (as we saw already).
If XML-RPC is enabled on your site, a hacker could potentially mount a DDoS attack on your site by exploiting xmlrpc.php to send vast numbers of pingbacks to your site in a short time. This could overload your server and put your site out of action.
Brute Force Attacks via XML-RPC
Each time xmlrpc.php makes a request, it sends the username and password for authentication. This presents a significant security liability and is something that the REST API does not do. In fact, the REST API uses OAuth which sends tokens for authentication instead of usernames or passwords.
Because xmlrpc.php sends authentication information with every request, hackers could use it to try to access your site. A brute force attack like this might allow them to insert content, delete code, or damage your database.
If an attacker sends enough requests to your site, each with a different username and password pair, there is a chance they could eventually hit on the right one, giving them access to your site.
That’s why, if you are running an up-to-date version of WordPress, which uses the REST API to communicate with external systems, you should disable xmlrpc.php. It isn’t needed and it could be making your site vulnerable.
Is xmlrpc.php Running on Your WordPress Site?
The first thing you need to do is identify whether xmlrpc.php is running on your WordPress site.
This isn’t a simple case of checking whether the file is there: it’s part of every WordPress installation and will be present even if XML-RPC is disabled.
To check if xmlrpc.php is enabled on your site, use the WordPress XML-RPC Validation Service. This will check your site and tell you if xmlrpc.php is enabled.
Disable xmlrpc.php via the .htacess File
In your .htaccess file, add this code:
<Files xmlrpc.php>
Order Allow,Deny
Deny from all
</Files>