Learn about xmlrpc.php, security risks and how to fix it

Tram Ho

Just now, in my project I encountered a series of requests that caused an increase in CPU load. I have researched and found that these are most likely DoS attack related requests by taking advantage of security holes in WordPress xmlrpc.php. So I refer to the articles on this mechanism of WordPress and ask for permission to translate the following article: https://kinsta.com/jp/blog/xmlrpc-php/


XML-RPC, one of the mechanisms of WordPress, was developed to standardize communication between different systems. This means that applications outside of WordPress (such as other blogging platforms and desktop clients) can interact with WordPress.

This specification has been a part of WordPress since its inception and has played a very useful role. Without this, WordPress would have been cut off from the rest of the internet.

However, xmlrpc.php has its downsides. This can lead to vulnerabilities in your WordPress site, and this role is now being replaced by the WordPress REST API. This allows you to connect WordPress with other applications.

In this article, I will also show you what xmlrpc.php is, why you need to disable it and how to find out if it is enabled for your WordPress site.

Are you ready? Start!

What is Xmlrpc.php?

XML-RPC is a mechanism that allows communication between WordPress and other systems. This is achieved by standardizing the communication, using HTTP as the transport engine, and XML as the encryption mechanism.

XML-RPC itself has a much older history than WordPress. This exists in the blog b2 software, which was the foundation for WordPress in 2003. The code behind this system is stored in a file named xmlrpc.php in the website root directory. XML-RPC is outdated, but still there.

In previous versions of WordPress, XML-RPC is disabled by default. However, as of version 3.5, it is enabled by default. The main reason for this is to allow the WordPress mobile application to communicate with your WordPress website.

With WordPress mobile apps prior to version 3.5, you must have XML-RPC enabled on your website to post content from the app … (Remember?) This is because the app is not running WordPress. Instead, it uses xmlrpc.php to communicate with the WordPress site.

But XML-RPC is not the only mobile application used. It is also used to enable communication between WordPress and other blogging platforms, activate trackbacks and pinbacks, and reinforce the Jetpack plugin’s ability to link self-hosted WordPress to WordPress.com .

After that, the REST API was integrated into the WordPress core and the xmlrpc.php file is no longer used for this communication. We use REST APIs to communicate with WordPress mobile apps, desktop clients, external blogging platforms, WordPress.com (for the Jetpack plugin), as well as other systems and other services. The system choice that REST API can connect is much richer than that of xmlrpc.php. It also has overwhelming versatility.

So now that REST API has replaced XML-RPC, you should disable xmlrpc.php on your website. Detailed reasons for disabling are as follows.

Why should you disable xmlrpc.php

The main reason why you need to disable xmlrpc.php on your WordPress site is that it can expose you to security vulnerabilities and possibly become a target of attack.

There is no reason to keep XML-RPC enabled as it no longer needs communication outside of WordPress. You should disable this feature to increase the security of your website.

But if xmlrpc.php is a security issue and isn’t even working, why isn’t it completely removed from WordPress?

This is because one of the main features of WordPress has always been backwards compatibility. We all know that updating your WordPress, plugins, and themes is important to anyone who knows how to manage a website.

However, some website owners do not want or cannot update their WordPress version. If that person is using the version before the REST API was introduced, he will need access to xmlrpc.php.

Now let’s take a closer look at the specific vulnerability.

DDoS attack using the XML-RPC pingback

One of the features that xmlrpc.php already has is the pinback and trackback. These allow you to display notifications in the comments section of your website when your blog or other website links to your content.

This interface is supported by XML-RPC (as explained), but this role is currently performed by the REST API.

If XML-RPC is enabled on your website, hackers can exploit your xmlrpc.php to send a large amount of pinback code to your website in a short period of time to launch a DDoS attack. on your website. This puts you at risk of server overload and your website crashing.

Brute force attacks using XML-RPC

Every time xmlrpc.php makes a request, it sends the username and password for authentication. This causes serious security problems (not in REST APIs). In fact, the REST API uses OAuth to send tokens for authentication, not a username or password.

xmlrpc.php sends every requested login information that a hacker can use to access your website. And brute force attacks can lead to content insertion, code deletion, or database corruption.

If an attacker makes multiple requests to your website and specifies different username and password pairs, they will eventually get the correct credentials … and then they can access your account.

Hence, if you are using the latest version of WordPress that uses a REST API to communicate with external systems, disable xmlrpc.php. This feature is unnecessary and can only make your website vulnerable to attack.

How to disable xmlrpc.php

There are three ways to disable xmlrpc.php.

Disable xmlrpc.php in the plugin

The easiest way is to install a plugin that disables xmlrpc.php. It can be completely disabled using the Disable XML-RPC plugin. Usage is as follows.

Here I will use my website with xmlrpc.php enabled. Verify that it is currently valid.

Install and activate the plugin from the plugin screen of the WordPress admin screen.

Only this one. You don’t have to do anything else. XML-RPC is disabled when the plugin is enabled. And when I checked it, I found that it was not valid.

Just that is enough. Simple, right?

Disable XML-RPC Pingback in plugin

How can I disable certain features of xmlrpc.php and leave others behind? The Disable XML-RPC Pingback plugin can only be used to disable the pinback feature. This means you can continue to take advantage of other XML-RPC features as needed.

The plugin works like the XML-RPC Disable plugin described above. Just install and activate it.

Detailed control over XML-RPC and REST APIs with plugins

If you want more control over the xmlrpc.php and REST API settings on your website, you can use the REST XML-RPC Data Checker plugin.

After installing and enabling this plugin go to Settings> REST XML-RPC Data Checker and click on XML-RPC tab.

This will allow you to determine exactly which features of xmlrpc.php will be enabled for your website.

Or you just need to turn it off completely. If you also need to control the REST API, use its dedicated tab in this plugin.

How to disable xmlrpc.php without a plugin

If you don’t want to install this plugin on your website, you can disable it by adding code to your filter or .htaccess file. Consider both approaches.

Disable xmlrpc.php with the filter

This method uses the xmlrpc_enabled filter to disable xmlrpc.php. Use this function to create a plugin and activate it on your website.

You can add this to your theme functions file, but we recommend creating your own plugin.

Another option is to edit your hosting provider’s .htaccess file using Apache by connecting to your website’s server via cPanel or FTP.

Disable xmlrpc.php via the .htaccess file

Add the following code to the .htaccess file.

Share the news now

Source : Viblo