3 Ways to Disable XML-RPC in WordPress [Security]

XML-RPC in WordPress is an useful feature that allows you to remotely publish posts via mobile phones or tablet or Windows Live Writer. However, keeping XML-RPC enabled on your WordPress blog is always a risk. Recently, an attacker used xml-rpc on one of my WordPress blog to send some spam traffic to various websites. But that was an older version of WordPress (on an abandoned website), so even the xml-rpc might had a security hole that allowed an attacker to exploit it. Well, I’m not sure how secure they are (xml-rpc) in latest version of WordPress. If you ever want to disable xml-rpc on WordPress, then there are 3 ways to do it.wordpress security

Disable XML-RPC via snippets:

Copy and paste the below line in functions.php file

add_filter('xmlrpc_enabled', '__return_false');

Disable XML-RPC via Plugin:

If you don’t want to mess with WordPress code, then a plugin is the safest way to disable xml-rpc. All you need is to install Disable XML-RPC plugin and activate it.

Disable XML-RPC via htaccess:

Copy and paste the below lines in .htaccess file.

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all

Note: You may need to allow from few IP addresses, which can achieved using ‘allow from’ attribute as shown below:

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from x.x.x.x

Test XML-RPC using curl command:

$ curl -D -  "www.anywordpresssite.com/xmlrpc.php" -d '<methodCall><methodName>pingback.ping</methodName><params><param><value><string>http://victim.com</string></value></param><param><value><string>www.anywordpresssite.com/postchosen</string></value></param></params></methodCall>'
Sample output:
<title>403 Forbidden</title>
<p>You don't have permission to access /xmlrpc.php
on this server.</p>
Lookout for “403 Forbidden” message in the above sample output. It means that XML-RPC is disabled in your site.

And the bonus is here…

50 things to do after Installing WordPress…

Topics :

vps germany

Get Free Email Updates

Disclaimer: The content published in this article is the views of the author only. Techglimpse does not gurantee accuracy, completness or validity. If you believe the content on this post violates your copyright, please send us a mail for removal. Read more.