• Home  / 
  • WordPress
  •  /  What Is WordPress XML-RPC and How to Stop an Attack

What Is WordPress XML-RPC and How to Stop an Attack

What is XML-RPC ?

Let me start by introducing XML-RPC. XML-RPC is a remote procedure call (RPC) protocol which uses XML to encode its calls and HTTP as a transport mechanism. “XML-RPC” also refers generically to the use of XML for remote procedure call, independently of the specific protocol.

Here, RPC stands for Remote Procedure Call that offers developers a mechanism for defining interfaces that can be called over a network. The client specifies some procedures and parameters in the XML request, and the server returns either a fault or a response in the XML response.

The WordPress XML-RPC is a specification that aims to standardize communications between different systems. It uses HTTP as the transport mechanism and XML as encoding mechanism which allows for a wide range of data to be transmitted.

For example, let’s say you wanted to post to your site from your mobile device since your computer was nowhere nearby. You could use the remote access feature enabled by XML-RPC to do just that.


In 2008, with version 2.6 of WordPress, there was an option to enable or disable XML-RPC. However, with the release of the WordPress iPhone app, XML-RPC support was enabled by default, and there was no option to turn off the setting. This has remained true to the present day.

However, the functionality of this file has greatly decreased over time, and the overall size of the file has decreased from 83kb to 3kb, so it doesn’t play as large of a role as it used to.

The appearance of the new WP API will see the defeat of XML-RPC. The WordPress API would already be able to be utilized, however requires a module initiation is still in its test stage. Not very far later on, it will be a piece of the WordPress center code, which is the point at which it will begin to infringe on XML-RPC region.

Problems with WordPress XML-RPC:

The biggest issues with XML-RPC are the security concerns that arise. The issues aren’t with XML-RPC directly, but instead how the file can be used to enable a brute force attack on your site.

Indeed, you can ensure yourself with extraordinarily solid passwords, and WordPress security modules. Be that as it may, the best method of security is to just handicap it.
There are two principle shortcomings to XML-RPC which have been abused previously.

1) Brute force attacks:

Brute force attacks are most common in WordPress site. Hackers try to access your dashboard by many login attempts. They can effectively use a single command to test hundreds of different passwords. This allows them to bypass security tools that typically detect and block brute force attacks.

WordPress has common admin URL i.e., wp-admin. Thus, hackers took advantage of it. By using secret method of XML-RPC, attackers launch brute force attacks that are very hard to detect. The attacker exploits XML-RPC request by trying an endless number of username/ password combinations until they gain entry into your site.

2) DDoS (Distributed Denial of Service) attacks:

The second was taking sites offline through a DDoS attack. Hackers would use the pingback feature in WordPress to send pingbacks to thousands of sites instantaneously that may hog the server and slow your site down.

To check if XML-RPC is running on your site, then you can run it through a tool called XML-RPC Validator. Run your site through the tool, and if you get an error message, then it means you don’t have XML-RPC enabled.

If you get a success message, then you can stop xmlrpc.php with approach below.

Stopping attacks on WordPress XML-RPC:

However, due to some security issues, the best thing you can do to prevent attacks is to disable it.

Open up your .htaccess file. You may have to turn on the ‘show hidden files’ within file manager or your FTP client to locate this file.

Inside your .htaccess file, paste the following code:

# Block WordPress xmlrpc.php requests

<Files xmlrpc.php>

order deny,allow

deny from all

allow from //(This will be your IP Address)



Closing Thoughts:

Generally speaking, XML-RPC was a strong answer for a portion of the issues that happened because of remote distributing to your WordPress site. Be that as it may, with this component came some security openings that wound up being truly harming for some WordPress site proprietors.

To guarantee your site stays secure it’s a smart thought to cripple xmlrpc.php completely. Except if you require a portion of the capacities required for remote distributing and the Jetpack module. At that point, you should utilize the workaround modules that take into consideration these highlights, while as yet fixing the security openings.

In time, we can expect the highlights of XML-RPC to wind up coordinated into the new WordPress API, which will keep remote access and so forth, without giving up security. Be that as it may, meanwhile, it’s a smart thought to shield yourself from the potential XML-RPC security openings.

I hope this article might clean up your some confusions about XML-RPC!

About the author