WordPress XML-RPC: How can it make your website less secure?

WordPress as a platform is made to be extensible – as much as possible. XML-RPC provides an optional functionality for websites – an API that can be used to connect to and interact with the site through HTTP and XML.

In short, it allows you to perform actions on your website remotely. This can be useful for publishing blog posts from external applications such as the WordPress mobile application, among other integrations.

While XML-RPC in and of itself is not insecure – it can be one of those features which you are not using, but is enabled by default – and it provides another attack surface for potential hackers.

All the functionality for XML-RPC lives in a file called xmlrpc.php file within your site directory.

What are the disadvantages of WordPress XML-RPC?

One of the biggest issues with XML-RPC is the fact that it usually reduces your WordPress security and opens your website up to various exploits.

While these are no issues directly related to the XML-RPC protocol, they are enabled and accelerated by being able to use XML-RPC as the attack surface.

The most prominent attack is the brute-force or dictionary attack. With this method, the attacker tries to gain access to your website by constantly trying out username and password combinations until they get it right or get blocked by your system.

This can be done through the WP-ADMIN page, however, with XML-RPC enabled, attackers, can use this protocol to – with a single command – test thousands of combinations in a very short period of time. Additionally, XML-RPC can bypass some security measures and tools that you might have on your website and can typically block this kind of attack.

Another exploit that is fueled by XML-RPC is DDOS attacks. Hackers can use pingbacks to send requests to many sites at once, effectively giving them reign over a large number of IP addresses.

Why was XML-RPC created?

In the past, XML-RPC was much more useful to the average WordPress blogger. It was created in the early days – before even WordPress existed. It was part of the B2 blogging software that was then forked into WordPress.

In the earlier versions of WordPress, XML-RPC was disabled by default – and anyone that needed it also had to manually to enable it. From version 3.5 and onwards, XML-RPC was set to be enabled by default, and it still remains enabled by default to this day.

The main reason for enabling it by default was to allow bloggers to use the WordPress mobile application without any additional fiddling.

Bear in mind that this was during a time when internet speeds were much lower and it might’ve been too slow for people to load the full website to create a blog post. In this case, XML-RPC would allow bloggers to use an offline editor and simply publish the post through XML-RPC.

Nowadays though, most people do not use WordPress XML-RPC and it is mostly used by attackers for malicious advertising such as comments and brute force attacks we mentioned above.

If you are not using it, it’s generally good security practice to disable it to close off one of the doors that hackers might use to abuse your website.

How to disable WordPress XML-RPC?

Since you are now aware of the issues that XML-RPC could be causing, you might want to disable it to maintain your WordPress security.

However, determining whether this function is working is not as simple as checking if the file is there – it’s part of all WordPress installations, even if XML-RPC is disabled.

1. Disable with WordPress Toolkit

By far the easiest way to disable XML-RPC is through WordPress Toolkit on your website hosting. Since WordPress Toolkit is developed with security in mind – it can apply many security measures including disabling XML-RPC on your website.

To do this, log in to cPanel and then open WordPress Toolkit. Under your website, under “Status”, you’ll see “Security” – click the link right next to it. This will open up the security screen with all the configuration options

While it is recommended to check most of the boxes you find on this screen, today we’re focusing on only one of them – “Turn off pingbacks”. Pingbacks are made through XML-RPC, therefore this option turns off XML-RPC.

Do not worry if this might cause issues with your website – as this is very easy to revert.

2. Disable with a Plugin

Another popular method for disabling XML-RPC to improve your WordPress security is to use a plugin for this purpose. One of the most popular plugins for this purpose is called Disable XML-RPC.

To use this plugin, log in to your WordPress website and go to Plugins -> Add New. Then, in the search box type “Disable XML-RPC”, and install the first plugin that appears.

Since this plugin has one and only one purpose, it does that easily and without any configuration. Once you enable the plugin, XML-RPC will be disabled.

3. Disable WordPress XML-RPC by adding a filter hook

While this method is the most difficult one, we understand there are some website owners or developers who prefer to use raw code instead of plugins – if at all possible.

To disable this functionality through code, you will need to add the below code to the functions.php file:

add_filter( ‘xmlrpc_enabled’, ‘__return_false’ );

Keep in mind that editing your functions.php file is not a permanent solution without a child theme. Once your theme updates, the file will be reverted to defaults. Due to this, it’s recommended to create a child theme when editing the code of the website.

Final thoughts

As we’ve covered in this article, XML-RPC is a very little-needed function that can cause issues for your website. Since you are most likely not using it, it is recommended to disable it to increase your WordPress security and protect yourself from attackers.

Eltris hosting aims to always provide the best service to our customers and therefore we offer cPanel with WordPress toolkit which has the option to disable XML-RPC – along with applying other security measures – with only a few clicks.