For security reasons, XML-RPC in WordPress has been disabled by default for a long time. However, in WordPress 3.5 and later, XML-RPC is set to be enabled by default and there is no place to turn off this feature in the background. This article will explain how to disable XML-RPC in WordPress and discuss in-depth on why this functionality was enabled by default.
What is WordPress XML-RPC?
Encyclopedia’s explanation is that the full name of XML-RPC is XML Remote Procedure Call, that is, XML (a subset of the standard universal markup language) remote procedure call. It is a set of specifications and a series of implementations that allow programs running in different operating systems and different environments to implement Internet-based process calls. This remote procedure call uses http as the transmission protocol and XML as the encoding format for transmitting information.
The definition of Xml-Rpc is kept as simple as possible, but at the same time it can transmit, process, and return complex data structures. In short, this is a system that allows the author to post blog posts to WordPress site using popular blogging clients (for example, Windows Live Writer, MS word).
This feature is also necessary when using the WordPress mobile app, or when connecting to a service like IFTTT. To remotely access and publish articles, enable XML-RPC. Previously, in view of security considerations, XML-RPC was set to be disabled by default. But the situation is completely different now, the code quality of WordPress has been greatly improved, thanks to the extensive work of the development team, it is no longer discriminated against in API development. Compared with other cores, security is not a big problem.
There is no reason to disable it by default anymore. With the increasing use of mobile devices, this change is imminent. However, some people who are cautious about security issues may say that although the security of XML-RPC is not a big problem, if a vulnerability is found, it can still be a point of being attacked, so it is best to set it to disabled.
In order to meet the needs of everyone, although the user interface and database options for closing XML-RPC have been removed, if you really need it, you can use the filter provided by WordPress to close it.
Why do we disabling XML-RPC?
Hackers try to exploit the weaknesses of XML-RPC that could possibly be exploited by hackers. An XML-RPC request is created whenever you want to publish content from a remote device. These requests are authenticated with a simple username and password. If a hacker manages to get these credentials, they could use it to send their own requests and gain access to your site.
Disable XML-RPC using a plugin
There is a plugin called ‘Disable XML-RPC’ that you can use in order to block WordPress xmlrpc.php requests. It’s simple as that you just install and activate the plugin. It will automatically disable WordPress xmlrpc.php and if you ever want to enable XMLRPC, then just deactivate the plugin.
How to disable XML-RPC manually?
Just paste the following code into the theme’s functions.php file:
add_filter ('xmlrpc_enabled', '__return_false');
How to disable WordPress XML-RPC through .htaccess file?
Although the above solution is sufficient for many people, it still consumes a lot of resources for the attacked site. For these situations, blocking all requests from xmlrpc.php through the .htaccess file may be considered, and even be intercepted when the request does not reach WordPress.
Just copy the following code to the .htaccess file.
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny, allow
deny from all
allow fromxxx.xxx.xxx.xxx
</ Files>
If you would like to retain XML-RPC from a particular IP, replace ‘xxx.xxx.xxx.xxx’ with your IP address, Otherwise, you can simply delete this line.
If you intend to use the XML-RPC function, ensure your website is updated with the latest WordPress version. You should use WordPress version 4.4.1 or higher to ensure your website is not at risk of being hacked.
