WordPress comes with built-in features that will help you to interact with your website remotely. Sometimes, you need to access your WordPress website and you don’t have your system (Computer).

For a long time, WordPress provided a solution called xmlrpc.php file. But in recent years this file solution becomes a vulnerability instead of a perfect solution.

Here, we will discuss xmlrpc.php in WordPress and what are the security issues of XMLRPC, and why we need to disable this option.

What is xmlrpc.php?

XML-RPC is a feature of WordPress that enables data transmission with HTTP protocol as a transport mechanism and XML as an encoding mechanism.

For example, you want to post any content to your WordPress website from your mobile device, because you don’t have your system (computer) nearby. For this task, you can use the remote access feature of the xmlrpc.php file for remote access to your website.

In the latest version of WordPress, the XML-RPC feature is disabled by default. But in previous version 3.5, this feature was enabled by default. The main reason to enable this feature in WordPress is to allow WordPress mobile app to communicate with your WordPress website.

Why do we need to disable it?

The main reason for disabling the XML-RPC file on your WordPress website is because this file introduces different vulnerability attacks. Now, you can protect your WordPress website with strong passwords and different security plugins. But the best mode of website protection is to simply disable this feature on your WordPress site.

There are 2 main weaknesses of the XML-RPC feature in WordPress.

Brute Force Attack

Each time xmlrpc.php file creates a request to authenticate the User name and password, but other APIs don’t. In fact, the other APIs send a token for authentication instead of a username and password.

Because the xmlrpc.php sends a request every time for the authentication of information and the hackers can use this information to access your website. Because, a brute force attack helps to insert, delete, and modify the website code or damage your website database.

If a hacker sends enough requests of different usernames and password pairs and there is a chance that they can easily hit on the right one and get access to your WordPress website. 

That’s why if you are using an up-to-date or latest version of WordPress on your website and using different Authentication APIs to communicate with external systems, then you have to disable this XML-RPC option on your WordPress website.

DDoS Attack (Pinbacks)

DDoS is a second attack that can occur if your site is xmlrpc.php enabled and your site will be taken down/offline through a DDoS attack. Because Pingback and trackback are features of xmlrpc.php. If your site is enabled xmlrpc.php, then a hacker can send a vast number of pingbacks to your WordPress site in a short period of time. This attack could overload your server and put your website out of action or down.
If you want to check that XML-RPC is running on your WordPress website then you can check through the XML-RPC validator. Simply put your website link and click on the Check button.

xmlrpc

If you get an error message then it means that your website is not enabled XML-RPC. But if you get a success message then you can disable XML-RPC with different methods on your WordPress website.

Method 1: Disable xmlrpc.php With WordPress Plugin

By installing the plugin to disable the XML-RPC is one of the easiest methods to disable the xmlrcp.php on your WordPress website. You can easily disable the XML-RPC by using The LoginPress Pro Plugin. Simply you need to follow the given steps to disable the XML-RPC on your website with LoginPress.

1. Log in to your WordPress website Dashboard
2. Install and activate the LoginPress Pro version
3. Navigate to LoginPress → Settings
4. In the Settings window of LoginPress click on the Limit Login option

loginpress xmlrpc settings

4. In the Limit Login Tab, you will have an option to Disable XML RPC Request.
5. Click on the Toggle button to disable the XML RPC option and click on the Save Changes button.

WordPress xmlrpc

Method 2: Disable xmlrcp.php Manually

If you don’t want to use any plugin to disable the xmlrcp.php then you can disable XML-RPC manually through the .htaccess file of your website.

  1. Open the .htaccess file of your WordPress website
  2. Now copy and paste the given code to your .htaccess file
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx
</Files>

Method 3: Disable xmlrcp.php from the theme.

If you want to disable the XMLRPC on the complete site then use this filter in your child theme’s functions.php file.

add_filter( 'xmlrpc_enabled', '__return_false' );

This filter will disable the XML-RPC on your WordPress website.

Conclusion

The XML-RPC was created for WordPress website communication with external systems and applications. But due to its functionality means authentication process different security issues have occurred which means hackers can easily attack on your WordPress website.

But now current APIs help you to communicate with external systems & Application, in which they are using a token for authentication instead of using username and password. Now you can disable the xmlrcp.php for safe communication, just you need to follow the above methods to disable the XML-RCP, by disabling it you will improve the level of your website security.