Are you looking to disable XML-RPC for WordPress websites?
The legacy WordPress feature has seen its prime days, but now it is getting replaced by innovative technology.
In this quick tutorial we will see what it does, its security risks and how we can disable it with and without installing a plugin.
What is XML-RPC?
XML-RPC is short for Extensible Markup Language Remote Procedure Call. XML-RPC for WordPress is a WordPress feature that enables remote connection between the website and external application. The connection is used to send the data in XML format.
The internet was not that mature and connected in the earlier days. So features like this were useful, as the person could write the content offline and publish it later.
But with the development of Rest API and FastAPI, the time has changed. Now the XML-RPC feature has become more of a security risk than any advantage. It would be better to disable it.
Why Disable XML-RPC?
As XML-RPC can connect the external application with your website, it creates various security risks. Two major security risks with XML-RPC are:
Brute Force Attacks: In brute force attacks, the hackers use a large number of admin ID and password combinations to guess the correct one. In a regular login scenario, you can block the IP address after a certain number of incorrect passwords, add questions to the login page, change the login URL and even add the captcha to the login page. But the XML-RPC ignores all the WordPress login security functions.
Hence, hackers can use the XML-RPC injection to perform a brute force attack.
DDOS Attack: In DDoS attack, hackers send lots of traffic and data to WordPress website. The bots eat up the resources and bandwidth, causing the downtime and website crash. XML-RPC can be used to create thousands of pingbacks causing the website shutdown due to overuse.
How to Disable XML-RPC with Plugin?
Like for every function, there is a WordPress plugin to disable XML-RPC. But in this case, we are going to use the most popular one.
Disable XML-RPC API
However, if you have already installed a security plugin on your WordPress website, take a look whether there is already a function in the plugin to disable XML-RPC. Many security plugins have inbuilt features for this.
Install and activate the Disable XML-RPC API plugin. Once activated, the plugins will automatically disable the XML-RPC for you. You do not have to take any extra steps.
How to Disable XML-RPC without Plugin?
WordPress plugins are easy, but not always the best solution. They add bloats to WordPress, and affect website resources. Plugins with a single function often do not get updates regularly, and become a security hazard.
So, disabling XML-RPC without a plugin is also an option.
On Apache
On Apache web server, you have to add a line of code to the htaccess file.
NOTE: You can find the .htacess file in the cPanel. Navigate to cPanel → File Manager → public_html → .htaccess. Edit the file and add the code at the end of file.
Code:
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>
NOTE: Dealing with .htaccess files could be dangerous. Please learn about its functions and importance before modifying it. If you have never done it before, please take a complete backup of the WordPress website before making any changes.
On NginX
On the NginX server, you have to add a line of code to the NginX config file.
location ~* ^/xmlrpc.php$ {
return 403;
}
NOTE: Dealing with Nginx config files could be dangerous. Please learn about its functions and importance before modifying it. If you have never done it before, please take a complete backup of the WordPress website before making any changes.
Wrap Up
Once you disable the XML-RPC on your WordPress website, it will throw a 403 error on loading. You can test by opening this URL: https://yourwebsite.com/xmlrpc.php. Replace YourWebsite with your domain.
We have tried several methods to disable XML-RPC in this article, with and without plugin. If it still does not work, you have to contact your hosting provider. The tech team would know what is stopping it from happening.
I hope this article helped you in understanding and disabling the XML-RPC for your WordPress website. It will make the WordPress website more secure.