How to disable xmlrpc.php?
While monitoring my system I have notices increased number of requests to xmlrpc.php. Every single of those requests took 200MB to 205MB of ram and resulted in system instability and in few occasions it caused my 8GB Digital Ocean Droplet to go out of memory and eventually crashed leaving all my sites not working for some 10hours or so.
Recently I’ve read that many hackers now use xmlrpc.php instead of wp-login.php to execute their brute force attacks. And the problem is – since WordPress 3.5 you can’t disable the use of xmlrpc, at least not from the WordPress control panel.
There are many ways to do that and I’ll write some:
1. Deleting xmlrpc.php file
This is really not recommended. Also after WordPress (auto)update the deleted file will be replaced so it’s not really smart to do this, but I just wanted to write this just in case someone doesn’t try to do this.
2. Plugins
There are several plugins that can do this. I found these two to be the most used ones: Disable XML-RPC and XML-RPC Pinkback. Both plugins are really basic (only couple lines of code) but they should be able to help you out and protect your blog against those attacks.
3. Adding filter to theme functions.php file
This is basically same thing as the plugin above, but you have one plugin less. All you need to do is to edit your theme’s functions.php and add these couple of lines:
function remove_x_pingback($headers) {
unset($headers['X-Pingback']);
return $headers;
}
add_filter('wp_headers', 'remove_x_pingback');
add_filter('xmlrpc_enabled', '__return_false');
4. Block access at .htaccess
You can simply add this one line of code to your .htaccess file and block the access to the xmlrpc.php file entirely. User accessing the xmlrpc.php will get the 403 Forbidden error.
<Files xmlrpc.php> Order Deny,Allow Deny from all </Files>
5. Blocking access in nginx
If you are running nginx instead of Apache you should add this code to your nginx configuration:
server {
location = /xmlrpc.php {
deny all;
}
}
6. Block on entire server
If you have one server or VPS with tens of hundreds of WordPress installations (like me) any of the solutions above will take time to implement. So the best thing to do is to block access to xmlrpc.php file on Apache level, simply by adding this to httpd.conf file:
<FilesMatch "^(xmlrpc\.php)"> Order Deny,Allow Deny from all </FilesMatch>
Or even better adding this code (that also blocks wp-trackback.php and also prevent’s trackback hacking attempts).
<FilesMatch "^(xmlrpc\.php|wp-trackback\.php)"> Order Deny,Allow Deny from all </FilesMatch>
If you don’t use XML-RPC than you can safely disable it using any of the methods above (except the first one, of-course) and protect your blog against xmlrpc hacks.
Bogdan Stoica
April 23, 2016 - 9:39 am
This really helped me. I was using the blocking via htaccess and/or nginx. Adding that piece of code on a cPanel/WHM server helped a lot. Thanks!
Adeyemi Salau
May 30, 2016 - 7:41 am
Thanks. This was helpful.
Clare
July 16, 2016 - 5:56 pm
Thanks, but how do you block everything on the server but allow from certain IP addresses? When I try this with the below code (to allow Jetpack) it doesn’t work:
Order Deny,Allow
Allow from 185.64.140.0/22
Allow from 2a04:fa80::/29
Allow from wordpress.com
Allow from 2620:115:C000::/44
Allow from 76.74.255.0/25
Allow from 76.74.248.128/25
Allow from 207.198.101.0/25
Allow from 198.181.116.0/22
Allow from 192.0.64.0/18
Allow from 64.34.206.0/24
Deny from all
Chris
October 11, 2017 - 10:00 pm
This one works better than relying on just Apache:
https://wordpress.org/plugins/disable-xml-rpc-littlebizzy/