WordPress Security: Protect WordPress from XML-RPC Attacks

933 0
WordPress Security - XMLRPC Attack

There are many instances of XML-RPC Attacks these days. When a server has not been protected or optimized, it could lead to experience issue or errors after receiving a small amount of malicious traffic. Usually, these type of attacks results in the exhaustion of system resources. While monitoring my system, I noticed a huge amount of increase in xmlrpc.php use. Each of those requests took approximately 200 MB of ram and resulted in website down and eventually my websites were down for some 3 hours or so.

I came to know that it was Denial of Service (DDoS) attack while checking NGINX logs by using the following command:

sudo tail –f /var/log/nginx/error.log

I did R&D and found that many hackers now using xmlrpc.php instead of wp-login.php to execute XML-RPC attacks (brute force attacks). But the most unfortunate thing is that you can’t prevent the use of xmlrpc.php – since WordPress 3.5.

An hour research helped me to get rid of this Denial of Service (DDoS) attack and my website was up and running within 2 minutes of execution. So I decided to post the solution to this brute force attack to help people who are facing the same problem.

6 Ways To Protect WordPress from XML-RPC Attacks

1. Deleting xmlrpc.php file

This is really not recommended as XML-RPC on WordPress is actually an API or “application program interface”. It gives developers (who make mobile apps, desktop apps and other services) ability to-

  • Publish a post
  • Edit a post
  • Delete a post.
  • Upload a new file (e.g. an image for a post)
  • Get a list of comments
  • Edit comments

After the WordPress (auto) update, the deleted file will be replaced so it’s not the smart way to get rid of the issue.

2. Plugins

It is one of the easiest methods. There are several plugins available that will make your task easier. Just installing and activating the plugin will do for you. I found these two to be the most used: Disable XML-RPC and XML-RPC Pinkback. Both plugins are really basic and include only couple lines of code but it helps you to protect your blog against those attacks.

3. Adding filter to functions.php file

This is just an alternate way of a plugin. For those who do not like too many plugins in their WordPress admin panel, can add a filter to the activated theme. All you need to do is to edit your theme’s functions.php and add these couple of lines:

function remove_x_pingback($headers) {
    return $headers;
add_filter('wp_headers', 'remove_x_pingback');
add_filter('xmlrpc_enabled', '__return_false');

4. Block access at .htaccess

You just need to edit the .htaccess file and add the following block of codes. This will block the access to the xmlrpc.php file entirely. When hacker attacks your website, the xmlrpc.php will get the 403 Forbidden error.

<Files xmlrpc.php>
Order Deny,Allow
Deny from all

5. Blocking access in NGINX

If you are using LEMP (Linux, NGINX, MySQL, PHP) or simply NGINX web server instead of Apache web server you should add this code to your NGINX Server Block:

server {
    location = /xmlrpc.php {
        deny all;

6. Block on entire server

If you have a single server or VPS with a large number of WordPress installations, the best way to get rid of this issue is to block access to the xmlrpc.php file on Apache level, simply by adding these few lines of code to the httpd.conf file:

<FilesMatch "^(xmlrpc\.php)">
Order Deny,Allow
Deny from all

You can make your code even better by adding these lines of code as it also blocks wp-trackback.php and also prevent’s track back hacking attempts.

<FilesMatch "^(xmlrpc\.php|wp-trackback\.php)">
Order Deny,Allow
Deny from all

This will surely get rid of that Denial of Service (DDoS) attack.

Read More on WordPress

Hope you will find all these tips useful in preventing XML-RPC Attacks. If you have some other ways to get rid of this issue, put them in the comment section below.

If you like this post share it with your friends on social media and help people stay secure against such attacks.

In this article

Join the Conversation