While monitoring hits to this blog, I recognize that the file which received most hits is xmlrpc.php
. I was surprise because I don’t use XML-RPC for remote access, posting at all. I guess the problem may comes from bots, spammers or even hackers. So I decided to disable XML-RPC completely and here is how I did that.
What is XML-RPC?
XML-RPC is a Remote Procedure Call (RPC) protocol which uses XML to encode its calls and HTTP as a transport mechanism. XML-RPC also refers generically to the use of XML for remote procedure call, independently of the specific protocol.
Briefly, you use XML-RPC when you want to do something remotely to your blog such as posting, viewing comments, etc.
How XML-RPC is used in WordPress?
By default, WordPress enables XML-RPC automatically! It creates an API for XML-RPC to let us interact (get, read, edit, post, etc.) posts, comments, taxonomies, media, users and even options which means everything!
But where you can find application of XML-RPC in WordPress? The answer is many places:
- Pingback
- JSON API
- iPhone/Android app
- Remote posting by Microsoft Word for example.
- Your own apps, perhaps!
How to disable XML-RPC in WordPress
As I said earlier, enabling XML-RPC without knowing about its functionality is no different to open a backdoor for spammers and hackers. It sometimes just wastes your server/hosting resources. Disable it if you don’t need.
First of all, you need to turn off XML-RPC functionality in WordPress, using this code (you better put it in a functionality plugin):
add_filter( 'xmlrpc_enabled', '__return_false' );
add_filter( 'pings_open', '__return_false' );
These simple lines tells WordPress to stop all remote requests using XML-RPC. If you can’t add the snippet to your website, use the Falcon plugin, which helps you disable XML-RPC and also provides a lot of tweaks and optimizations for your WordPress website.
But there’s still a room to improve the performance. Instead of making WordPress handles requests to xmlrpc.php
, why don’t we make web server like Apache or nginx handle them? Requests will be denied in a lower layer of application, thus improving performance in general.
Block requests to xmlrpc.php
by Apache or nginx
To deny requests to xmlrpc.php
in Apache, add this code to .htaccess
file:
<IfModule mod_alias.c>
RedirectMatch 403 /xmlrpc.php
</IfModule>
or
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>
If you’re using nginx, this is the code you should add to server
block:
server {
location = /xmlrpc.php {
deny all;
}
}
Block XML-RPC with CloudFlare
If you’re using CloudFlare, then it’s probably better to use CloudFlare to block requests to xmlrpc.php
file. This way, the requests are blocked from the CloudFlare layer and can’t reach to your server. Thus, decreases your server load.
To block XML-RPC with CloudFlare, go to Security > WAF and select Custom rules tab, then click + Create rule button:
In this screen, enter the following details:
- Rule name: can be anything
- Field: select URI path
- Operator: select contains
- Value: enter “xmlrpc.php”
- Action: choose Block
This rule means if requests have URI path containing “xmlrpc.php”, then block them. This is exactly what we want.
That’s all. Your blog is fully protected from unexpected remote requests using XML-RPC. And hopefully it saves server resources and improve website performance.