Also known as PHPXMLRPC, the XML-RPC protocol is used in WordPress, Drupal, WikiTeX, TikiWiki, OpenAutonomy, Xaraya, Ampache, PostNuke, and many other open source projects. The XML-RPC protocol was originally created in PHP for ease of use and flexibility.
WordPress documentation about XML-RPC is rather poor, but we will try to tell you how it works in more detail.
- XML-RPC allows direct posting to your blog using metaWeblog API, Blogger API, Pingback API and Movable Type API and other similar clients.
- XML-RPC allows direct posting to your blog using Thunderbird, Eudora, and other email applications.
- XML-RPC allows to receive trackbacks and pingbacks from other sites to your website.
Only a few people use the functionality of remote-posting. However, many websites are definitely using the XML-RPC protocol for the trackback and pingback.
- Fine-grained decoding and encoding from php to xmlrpc
- Supports creating both xmlrpc servers and clients
- Supports http compression for both responses and requests, proxies, cookies, basic https and auth
- Supports ASCII, Latin-1 and UTF8 character encodings
- Optional validation of incoming xmlrpc request` parameter types
- Supports the <EX:NIL/> and <NIL/> extensions
- Includes web based visual debugger
- Allows register class methods or php function as web services
Some users may remember the times of WordPress 2.1.2 when there was a security issue associated with the xmlrpc.php. Although, this issue was promptly eliminated in the next WP version, another vulnerability was discovered. It all caused led the WordPress to disable remote access by defaults. However, for the sake of trackbacks (wp) and pingbacks, the xmlrpc.php file is still contained in the <head> document, but the remote-access is disabled by defaults.
If you don’t need trackbacks, pingbacks or remote-posting, it is better to remove the xmlrpc.php file, since if the file is available, it will be easy for hackers to use it. The thing is that with the help of xmlrpc.php they can break into your website! However, to avoid an avalanche of 404 errors, consider the consequences before doing something. If you are going to remove the xmlrpc.php, see some pieces of advice below.
Firstly, disable the remote-publishing
If you won’t do it, you will receive trackbacks and pingbacks. This step alone will help you to strengthen your website’s security. The file will remain on your server, but hackers will not be able to do anything with it.
Secondly, prevent scanning of the xmlrpc.php directory
If you keep an eye on your server error logs and access, you may have noticed a great amount of malicious xmlrpc.php directory scanning for the last time. For example:
http://domain.tld/2012/xmlrpc.php
http://domain.tld/2012/07/xmlrpc.php
http://domain.tld/2013/09/11/xmlrpc.php
http://domain.tld/2014/16/02/permalink/xmlrpc.php
http://domain.tld/2008/22/32/permalink/xmlrpc.php
http://domain.tld/2008/12/43/permalink/xmlrpc.php
This kind of actions prevent your site from working at maximum capacity, hogs bandwidth and drains resources of your server. Paste the following function in the web-accessible root Htaccess file of your website to prevent this malicious issue:
<IfModule mod_alias.c>
RedirectMatch 301 /(.*)/xmlrpc\.php$ http://domain.tld/xmlrpc.php
</IfModule>
This simple function will redirect all requests for your websites xmlrpc.php file.
Note: If mod_alias module is disabled, this function will not work.
The following strings:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase
RewriteRule ^xmlrpc\.php$ / [R=302,L]
</IfModule>
will redirect you to the main page of your website.
And using these:
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>
will deny access to your xmlrpc.php file.
Also, remove the links to wlwmanifest.xml and xmlrpc.php.
Place the following function in the functions.php file of your theme:
function removeHeadLinks() {
remove_action(‘wp_head’, ‘rsd_link’);
remove_action(‘wp_head’, ‘wlwmanifest_link’);
}
add_action(‘init’, ‘removeHeadLinks’);
These files will still be available on your website, but it will prevent them from being linked to in the header.
Finally, deny access to the xmlrpc.php file using the .htaccess file
To do it, just insert the following code into your root HTAccess file.
<IfModule mod_alias.c>
RedirectMatch 403 /(.*)/xmlrpc\.php$
</IfModule>
See more what is the .htaccess file and how to use it?
Pay Attention: Before making any changes, it is strongly recommended to make a backup of your .htaccess file!
If all abovementioned actions are too difficult for you, but you don’t want hackers to break into your site, try the Htaccess plugin. It allows to you control access to your website as well as to deny access to your xmlrpc.php file within a few clicks. Moreover, the plugin allows to disable hotlinking on your website. What is hotlinking?
FYI: Use the plugin only if you don’t need trackbacks and pingbacks (they will be disabled). Htaccess plugin works with .htaccess file only, and will be useful for those people who want to protect their website using the .htaccess file, but afraid to make any changes to it manually.
Also, try using both Htaccess and Limit Attempts plugins. They will provide maximum security for your website.
Download Limit Attempts plugin: https://bestwebsoft.com/products/limit-attempts/
Download Htaccess plugin: https://bestwebsoft.com/products/htaccess/