how to disable XML-RPC in wordpress blogs

Posted on by barkeep

What is XML-RPC?

XML-RPC is an xml based protocol that is used to perform actions on a remote server. Both the client and server has to supports the protocol in order for this to happen. XML-RPC is an abbreviation for eXtensible Markup Language (XML) Remote Procedure Call (RPC). It is a remote procedural call protocol. It uses the XML language to converse and the HTTP as its transport mechanism.

XML-RPC is the protocol of choice for a variety of reasons by a variety of frameworks and servers. Inside the WordPress framework, it provides many different functionalities. It is used to get information about posts, pages, taxonomy, media, comments, users etc. It is also used to publish new posts, retrieve comments, receive trackbacks and pingbacks etc among other things. It pretty much allows you perform all blog related activities remotely, without using the user interface.

The XML-RPC protocol has been enabled by default in WordPress since version 3.5. Unfortunately it no longer gives you the option to turn it off from the user interface.

Why disable XML-RPC?

The XML-RPC feature is usually not required if you are not using any of the above mentioned functionality remotely. It is usually not a good idea to keep an unused interface open which is a potential security risk. The WordPress implementation of XML-RPC is pretty good and relatively risk free, but that does not mean there are no yet-to-be-found bugs or that there will be no issues in the future.

DDoS attacks

Any kind of publicly exposed interface is susceptible to the Distributed Denial of Service (DDoS) attacks. Most of the modern secure servers are capable of dealing with such attacks. What makes the WordPress more vulnerable is the pingback or trackback feature that is used (or abused) to attack other 3rd party blogs and websites.

Man-in-the-Middle attacks

This is not unique to XML-RPC and your other interfaces, such as WordPress admin is also vulnerable to these attacks. But disabling XML-RPC makes it one less endpoint that you need to worry about.

Just a simple Google search will give you more information about how the XML-RPC protocol has been abused and exploited in the past. Almost all of those issues have been fixed as of now, but that does not mean that it won’t be exploited again or resurface again in the future.

How to disable XML-RPC?

As mentioned earlier, there are no straight forward options to disable XML-RPC using the user interface (at least not as of this post). Below are a couple of other techniques that you can use to manually disable it from WordPress.

Delete the File (xmlrpc.php)

One option is to find the file that implements the protocol, named xmlrpc.php and delete it. The file is located in the root directory of the WordPress installation. You can delete the file, but i suggest that you rename the file instead. You can use a different file extension as well. It is always a good idea to keep a backup.

The issue with deleting the file is that it might cause a whole lot of 404 errors about the missing file. So, to avoid that you might be able to just remove the code from the file but keep the file intact. (of course, after backing up the file to another location as described in the next section)

Remove the code (xmlrpc.php)

First backup the original xmlrpc.php so that you have a copy in case something goes wrong or you want to restore it at a later time. Now instead of deleting or removing the file, you can comment out the entire code inside the file. This should alleviate the issue with WordPress complaining about the missing file. You could also create an empty php file with the same name, instead of commenting the code out.

Remove From Header

In order to remove the link from header, you can use the functions file in WordPress. You might have already used this file for other customizations. The file is named functions.php and you can add the following code to it…

remove_action( 'wp_head', 'rsd_link' );

This should remove the reference to the xmlrpc file from the header of all pages in the website.

WordPress Hooks

Using Plugins

There are a couple of different WordPress plugins that you are available that can be used to disable XML-RPC. These pretty much uses one of the techniques described above.

A couple of examples of these are Disable XML-RPC and Remove XMLRPC pingback Ping. You can also give the plugin Secure XML-RPC a try if security is your main concern.

Using Apache .htaccess file

Although the above techniques all effectively disable the use of XML-RPC protocol, it does not really prohibit the users, bots or other programs from scanning for the specific file. I usually find a whole lot of direct requests for this file (usually from rouge bots) trying to find the protocol implementation file.

If you want to thwart these requests right at the server, then it is probably a good idea to make use of the htaccess to deny access to the file or URL itself and/or redirect it. You can use either of the following code in your .htaccess on the Apache server to achieve that.

<FilesMatch "^(xmlrpc\.php)">
Order Allow,Deny
Deny from all

OR

RedirectMatch 403 /(.*)/xmlrpc\.php$

Issues with disabling XML-RPC

It is possible that some of the other plugins that you are using might be using the XML-RPC feature of WordPress. The plugin Jetpack is one of them. Some of the posting features in there use XML-RPC.