The “XML-RPC” protocol was designed to standardize interoperability between different systems, which means that applications outside of WordPress (such as other blogging platforms and clients) can interact with the core of your WordPress site.
WordPress has been using “XML-RPC” since its inception and it has done a very useful job. Without it, WordPress would be isolated from the rest of the Internet.
However, xmlrpc.php has its drawbacks. It is capable of opening vulnerabilities in your WordPress site, and it has now been replaced by the WordPress REST API, which works much better as a link between WordPress and other applications.
In this post, we’ll explain what xmlrpc.php is in WordPress, why it’s advisable to disable it, and help you determine if it’s working on your site.
What is xmlrpc.php in WordPress?
So, as you already know, “XML-RPC” is the protocol that enables communication between WordPress and other systems. This was achieved by standardizing these communications using “HTTP” as the transport mechanism and “XML” as the encoding mechanism.
XML-RPC had appeared much earlier than WordPress itself: it was in the blogging software “b2”, one of the branches of which was used to create WordPress back in 2003. Part of the “b2” software code is stored in a file called xmlrpc.php in the root directory of the site. Yes, it still exists, although “XML-RPC” is largely obsolete.
In earlier versions of WordPress, “XML-RPC” was disabled by default. But starting with version 3.5, it’s back? This was done so that the WordPress mobile app (iOS and Android) could interact with your WordPress site.
If you were using a mobile app before version 3.5, you may remember that you had to separately enable “XML-RPC” on the site for the app to publish content. This was because the app did not interact directly with WordPress, but rather had separate software that communicated with your site using xmlrpc.php.
It’s worth clarifying that “XML-RPC” not only interacted with the app, it was also used to provide communication between WordPress and other blogging platforms, it connected so-called “Pingbacks” (backlinks), and it also worked with the Jetpack plugin.
But with the arrival of the “REST API” and its integration into the WordPress core, the xmlrpc.php file is no longer used for this type of interaction. The “REST API” is now used to communicate with the WordPress mobile app, with desktop clients, with other blogging platforms, with WordPress.com (for the Jetpack plugin), and with other systems. The range of systems with which the “REST API” can communicate is much larger than in xmlrpc.php. In addition, the “REST API” gives much more flexibility to developers.
Based on the fact that the “REST API” has replaced the “XML-RPC”, you should disable xmlrpc.php on your WordPress site. Let’s look into why this should be done.
Why is it recommended to disable xmlrpc.php?
The main reason you should disable xmlrpc.php on your WordPress site is because it can open vulnerabilities and become a target for attacks.
Now that “XML-RPC” is no longer needed to communicate your site with third-party software, there’s no reason to keep the protocol open. It would make sense to make your site more secure, wouldn’t it?
If xmlrpc.php is vulnerable and no longer needed, why hasn’t it been completely removed from WordPress?
That’s a good question, isn’t it?
The reason for this is that one of the key features of WordPress will always be backward compatibility. If you run your site competently, you know that it’s critical to keep the WordPress core up to date, as well as any plugins or themes.
But there will always be webmasters who are unwilling or unable to update everything periodically, and if they use a version before the “REST API” appears, they need access to xmlrpc.php.
1. DDoS attacks via XML-RPC pingbacks
One of the features implemented in xmlrpc.php was pingbacks and trackbacks. These are notifications that appear in comments on your site when another blog or site links to your content.
This linking was made possible by the “XML-RPC” protocol, but it has been replaced by the “REST API” (as you have already learned).
If your site has “XML-RPC” enabled, an attacker could potentially launch a DDoS attack on your site, using xmlrpc.php to send a large number of pingbacks to your site in a short time. This can overload your server and put it out of action.
2. Brute Force attacks via XML-RPC
Every time xmlrpc.php makes a request, it sends a username and password to authenticate. This poses a serious security threat but the “REST API” doesn’t. In fact, the “REST API” uses the “OAuth” method, which sends authentication tokens instead of usernames or passwords.
Since xmlrpc.php sends authentication information with every request, attackers can use it to try to gain access to the site. Such an attack could allow them to insert content, remove code, or corrupt the database.
If an attacker sends a large number of requests to your site, each with a username and password pair, chances are that they will eventually hit the right one, gain access to the site.
That’s why, if you’re using the latest version of WordPress, which uses a “REST API” to communicate with external systems, you should disable xmlrpc.php. It’s not necessary, and it can make your site vulnerable.
Is xmlrpc.php working on your WordPress site?
The first thing you need to do is determine if xmlrpc.php is active on your WordPress site.
It’s not a simple matter of checking if the file is present. The file is part of every WordPress installation and will be present even if “XML-RPC” is disabled.
Always make a backup of your site before you remove anything. In our case, don’t just delete the xmlrpc.php file because it will break your site.
To check if xmlrpc.php is active on your WordPress site, use a verification service. This service will automatically check your site and tell you if the protocol is active or not.
How do I disable xmlrpc.php on my WordPress site?
The easiest way is to install and activate the Disable XML-RPC plugin, don’t be embarrassed that the plugin hasn’t been updated in over a year. There is nothing to update, as it contains only one line of code:
add_filter( 'xmlrpc_enabled', '__return_false' );It is this filter that disables the “XML-RPC” protocol on a WordPress site. And if you don’t want to use plugins, it’s enough to insert the above-mentioned filter into functions.php file of your theme (preferably a child theme).
Alternatively, you can disable the protocol through the .htaccess file by adding the following condition:
<Files xmlrpc.php>
Order Allow,Deny
Deny from all
</Files>When should I keep xmlrpc.php?
In some cases xmlrpc.php might be useful and should not be disabled completely.
- You are not using a “REST API”, but you need to exchange data between your WordPress site and other systems.
- There is no way to update your WordPress core to version 4.4 or higher.
- You are working with an external application that cannot access WordPress “REST API”, but work well with “XML-RPC”.
That’s it! If none of these reasons are particularly compelling to you, feel free to disable it.
The only reason this file is still in WordPress is for backward compatibility. For anyone who wants to keep their sites up to date and working with the latest technology, disabling xmlrpc.php is the best option.
XML-RPC was once an important part of WordPress, but now the protocol threatens the security of your WordPress site
To summarize
The “XML-RPC” protocol was developed before WordPress was created as a means for WordPress to communicate with external systems and applications. It has inherent security flaws and can make your site vulnerable to attack.
Since version 4.4, “REST API” support has been integrated into the WordPress core, making “XML-RPC” completely unnecessary. If you follow the steps described above by disabling this feature, you will increase the security of your site.