1. Home
  2. WordPress
  3. 3 Ways to Disable XML-RPC in WordPress [Security]
  1. Home
  2. Network and security
  3. 3 Ways to Disable XML-RPC in WordPress [Security]

3 Ways to Disable XML-RPC in WordPress [Security]

XML-RPC in WordPress is an useful feature that allows you to remotely publish posts via mobile phones or tablet or Windows Live Writer. However, keeping XML-RPC enabled on your WordPress blog is always a risk. Recently, an attacker used xml-rpc on one of my WordPress blog to send some spam traffic to various websites. But that was an older version of WordPress (on an abandoned website), so even the xml-rpc might had a security hole that allowed an attacker to exploit it. Well, I’m not sure how secure they are (xml-rpc) in latest version of WordPress. If you ever want to disable xml-rpc on WordPress, then there are 3 ways to do it.wordpress security

Disable XML-RPC via snippets:

Copy and paste the below line in functions.php file

add_filter('xmlrpc_enabled', '__return_false');

Disable XML-RPC via Plugin:

If you don’t want to mess with WordPress code, then a plugin is the safest way to disable xml-rpc. All you need is to install Disable XML-RPC plugin and activate it.

Disable XML-RPC via htaccess:

Copy and paste the below lines in .htaccess file.

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

Note: You may need to allow from few IP addresses, which can achieved using ‘allow from’ attribute as shown below:

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from x.x.x.x
</Files>

Test XML-RPC using curl command:

$ curl -D -  "www.anywordpresssite.com/xmlrpc.php" -d '<methodCall><methodName>pingback.ping</methodName><params><param><value><string>http://victim.com</string></value></param><param><value><string>www.anywordpresssite.com/postchosen</string></value></param></params></methodCall>'
Sample output:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /xmlrpc.php
on this server.</p>
</body></html>
Lookout for “403 Forbidden” message in the above sample output. It means that XML-RPC is disabled in your site.

And the bonus is here…

50 things to do after Installing WordPress…

Updated on September 2, 2017

Was this article helpful?

Related Articles

Comments

Add A Comment