WordPress and xmlrpc.php – why should you block it?

If you took a good look at the WordPress installation on your hosting, you have surely noticed that the xmlrpc.php file is visible in the website directory. This enigmatic name is associated with the XML-RPC protocol, which is used by WordPress to communicate with other external systems. Its mere presence is not as dangerous as its direct use.

What is the xmlrpc.php file for?

WordPress is CMS software that can be used not only after logging into the administration panel, but also using external applications. The xmlrpc.php file is responsible for enabling communication with and to the application using the XML-RPC function, which has been available in WordPress almost from the beginning of its existence. Over the years, it turned out that this feature creates potentially dangerous opportunities and makes it easier to hack into websites that use WordPress applications.

One of the options that used the XML-RPC feature was the site-specific pingbacks and trackbacks. If you are browsing your WordPress settings, you will surely come across these names in your Discussion settings.

What are the dangers of an active xmlrpc.php file?

The xmlrpc.php file and the XML-RPC function, if enabled, are a very easy morsel for a potential hacker. There are many possibilities of using this option, but the most common 2 uses of this vulnerability are:

  • Brute force attacks
  • DDOS attacks on the website

It is worth mentioning that XML-RPC is used in the current WordPress environment much less often than a few years ago. Nevertheless, its presence is a potential threat to the site itself.

How to block an xmlrpc.php file?

Disabling XML-RPC does not delete the file itself (which is not worth doing anyway), but most of all it blocks any potential traffic that may be accessing it. To protect your website, use the options provided by the web hosting and the WordPress application itself.

Block xmlrpc.php via WordPress

For this type of lock, use the functions.php file, which you can find in the AppearanceTheme File editor tab. To the functions already present (this file may also be empty), add the line:

add_filter('xmlrpc_enabled', '__return_false');

 

Lock xmlrpc.php file using .htaccess file on hosting

Thanks to the hosting functionality, you can also block such a file by editing the .htaccess file in the website directory. Add a line to the content of the file:

<files xmlrpc.php>
Order allow, deny
Deny from all
</files>

You do not know how to properly edit this file? Check out the example manual that explains how to use the .htaccess file on any WordPress hosting.

How to check if a WordPress website is using XML-RPC?

At first glance, you cannot tell if your website has XML-RPC enabled. To perform the test, go to the website at https://xmlrpc.eritreo.it/ and enter the full URL of your website.

If the test is successful (green tick) – the page uses this function and is unsecured. A red cross means that access to the script and functions is blocked.

How to Create an Azure Cloud CDN

Content Delivery Networks (CDNs) can significantly speed up the delivery of assets on a web site. However, as not all websites are the same, it’s important to determine whether your own deployments will benefit.

For a global training business that publishes significant numbers of videos, Azure blob storage is a good match to your business model. Azure Blob storage also enables simple web publishing. However, your company’s plans to expand could overload a single point of distribution.

In this unit, you’ll learn about how Azure CDN works, and how to create one to improve the performance of a static website.

What is a CDN?

A CDN is a network of web servers that cache website content in different geographical locations. CDNs help to minimize latency by caching website content at point-of-presence (POP) locations that are close to large clusters of users. The use of a CDN is transparent to users of your site.

Geographic distance between a website user and the server hosting the site can be a major contributor to latency. Distance creates latency because of two main factors:

  • First, the transmission speed of electrical signals is finite. The longer the distance is the longer it takes for a sent message to reach the other side.
  • Second, long-distance connections between two computers tend to pass through a relatively large number of internet routers, and each “hop” adds latency.

Using a CDN to cache content closer to users reduces both the transmission delay and the number of router hops.

Enabling a CDN

The process of enabling a CDN for a site depends on the CDN provider you use, but typically requires three steps:

  1. Enter a service agreement with the CDN provider. The service agreement is completed through a web portal.
  2. Configure the CDN.
  3. Modify your site implementation to use the CDN URL for assets that you want cached on the CDN. The changes you’ll need to make will vary significantly depending on the implementation of your site.

How a CDN works

When a user requests a file or asset, the request is routed to the closest POP.

If the data is present on the POP, the data is retrieved.

If the data isn’t present, the POP will request it from the origin server, return the data to the user and store local copy. Follow-on requests for the data will then be local to the POP.

There are four types of CDN available in Azure:

  • Standard Microsoft
  • Standard Akamai
  • Standard Verizon
  • Premium Verizon

The types vary by features and caching options.

This module focuses on the Standard Microsoft CDN. For more information on each type, see the Further Reading section of the Summary unit.

What is an Azure CDN?

Azure Content Delivery Network (CDN) is Azure’s content delivery network. It’s a distributed network of servers that is used to cache and store content. These servers are in locations that are close to end users to minimize latency.

The server locations are referred to as Point-of-presence (POP) locations. CDNs store cached data on edge servers, or servers close to your users, in these POP locations.

Features and Benefits of Microsoft Azure CDNs

Features that Microsoft Azure CDNs offer are:

  • Dynamic site acceleration – speed up the delivery of static files
  • HTTPS custom domain support – enable encrypted connections to custom domains, such as https://www.contoso.com
  • Azure diagnostics logs – view core analytic information and send the data to an Azure Storage Account, Azure Event Hubs, or Log Analytics Workspace
  • File compression – increase performance by reducing the number of bytes in transit
  • Geo-filtering – create rules on your CDN endpoint that uses specific paths to allow or block content in selected countries

For more information on these features, see the Further Reading section of the Summary unit.

The benefits from using Microsoft Azure CDNs include:

  • Better performance and a smoother user experience with large or streamed files.
  • Improved results with applications that require multiple round trips to display content.
  • Greater scaling, especially with rapidly spiking loads, such as global launch events.
  • Reduced traffic to the origin server.

Assessing the Suitability of CDNs

CDNs are typically best suited to technologies that employ many large static files. They can also be useful where you need the ability to serve files to a large number of simultaneous users worldwide, for example at a product launch. However, the standard Microsoft CDN in Azure doesn’t provide significant advantage with dynamic sites.

CDNs and Web Servers

Azure CDN supports Web servers running on virtual machines in Azure as origin servers. You can also connect Azure CDN to Azure Websites. By doing that, your site is distributed globally to reduce latency and increase user satisfaction. When you connect your Web site into CDN and propagate the files, you end up with an identical file structure in CDN.

Creating a CDN requires specifying a new CDN in Azure. Then you configure an endpoint that points to the origin server or blob storage account. Azure requires unique names for the CDN path and the origin server URL. The exercise in the next unit covers this procedure.

CDNs with Serverless apps and Web apps

A serverless web app in Azure requires no deployment, configuration, or management of servers. This model contains the following components:

  • Blob storage – static web files (HTML, CSS, and JavaScript) are stored in Azure Blob storage, which implements static website hosting. Any dynamic interaction is through JavaScript calls to backend APIs. In consequence, there’s no server-side code to render the web page.
  • Function apps – uses an event-driven model to invoke functions (pieces of code) by using triggers (events). With a serverless app, the trigger might be an HTTP get request.
  • API Management – provides an API gateway that publishes and manages the APIs that client functions use. The gateway also helps to decouple the front-end applications from the APIs. API management can translate URLs, apply transforms to data requests between front and back ends, and configure response headers.

Azure CDN caches the serverless web app content, providing lower latency and faster content delivery to users. CDN can also provide an endpoint for encrypted HTTPS connections. Azure CDN provides similar interaction with Azure Web apps.

CDN Components

Now let’s look in more detail of how CDNs work. There are two concepts here: The CDN profile and CDN endpoints. This section also covers POP propagation times.

CDN Profiles

A CDN profile is a container for one or more CDN endpoints. Each CDN endpoint specifies a pricing tier and provides a link to the cached content on the POP.

When you create a profile, you can specify to create a CDN endpoint or you can create endpoints later. Note how you specify a pricing tier when you create the profile.

CDN Endpoints

When you create an endpoint, you must ensure that the endpoint type matches the origin source correctly. For example, static websites in Azure require an endpoint set to “custom origin”. With storage accounts, where you can create a CDN matched to that account.

For more information on integrating a storage account into an Azure CDN, see the Further Reading section of the Summary unit.

POP Propagation Times

Propagation times between POPs vary, according to which CDN profile and pricing tier you’re using.

  • Azure CDN Microsoft Standard profile typically propagates in 10 minutes
  • Azure CDN Verizon Standard and Azure CDN Verizon Premium profile typically complete in 10 minutes
  • Azure CDN Akamai Standard profile usually propagates in 1 minute

4 Best Security Plugins for Keeping your WordPress Website Secure

How to increase the level of security and protect your blog or company website from cyber criminals attacks and hacking? Meet the 4 best plugins for keeping your WordPress website secure!

Is it worth installing WP security plugins?

WordPress website security plugins are extensions that should be installed at the very beginning, before we even start creating content for the website. These are tools that allow you to protect your website against unauthorized access and attacks by cyber criminals.

Their task is to monitor website traffic, scan files, detect suspicious logins and malware, as well as notify the user about detected threats. Thanks to them, you can minimize the risk of data loss, virus infections and protect yourself against spam, extortion and internet fraud.

Best plugins for keeping your WordPress website secure

iThemes Security

iThemes Security (previous name: Better WP Security) is a very simple and intuitive plugin, the task of which is to protect a website created in WordPress against hacker attacks. The extension eliminates gaps in the website, generates strong and difficult to break passwords, supports two-way authorization, blocks bots and restricts access to the control panel by unauthorized users.

The plugin is integrated with Google reCAPTCHA, so you can further increase protection. iThemes Security also monitors and logs website activities, such as editing files. This is one of the strongest security features for WordPress on the market!

Sucuri Security WP Plugin

Sucuri Security is an extension designed to scan your website for malware and notify you of any unwanted login attempts. The extension is available in a free and paid version (extended with a firewall).

Sucuri Security allows you to scan malware and analyze file integrity on an ongoing basis. This solution is dedicated to advanced users. To provide the website with the maximum level of security, it is worth using it in conjunction with the iThemes Security or Jetpack plugin.

All In One WP Security and Firewall

All In One WP Security and Firewall is one of the best free plugins for comprehensive security in WordPress site. The extension protects databases and files, protects against copying and spam in comments, and blocks the so-called. password guessers. The plugin has extensive anti-spam filters and adds a firewall to your website that protects against unwanted logins. The extension is easy to use, and clear and transparent monitoring and ongoing website security assessment suggest how to ensure maximum protection.

Jetpack

Jetpack is a very extensive and multifunctional plugin that ensures the security of websites and blogs created in WordPress. As part of free protection, the user can count on blocking suspicious activities on the website and a firewall. After purchasing the license, the user can count on daily site scans, automated data recovery and technical support from the developers of the extension.

Other ways to increase WordPress security

Remember that good plugins aren’t everything. If you are going to build a website based on WordPress, it is worth taking care of security at the level of hosting selection. Always choose trusted hosting plans that offer backup and high security.

An important rule, thanks to which you can take care of security, is regular software update. Information about the availability of updates is displayed in the administration panel and on the WordPress website. Less advanced users should use the automatic update feature to protect their sites properly.

Other ways to increase the security of your website:

  • Creating a new user account and assigning administrative privileges to it
  • Avoiding using the default “admin” account created in WordPress
  • Avoiding easy-to-guess usernames, using an e-mail address instead of a username
  • Using only reputable sites for downloading themes and plugins to minimize the risk of attack
  • Use of strong login passwords containing: uppercase and lowercase letters, numbers, symbols (minimum 10 alphanumeric characters)
  • Backup
  • Use of an SSL certificate
  • Hides access to wp-config.php, .htaccess and .htpasswd files
  • Using two-factor authentication, e.g. as a result of integrating WordPress with Google Authenticator