WordPress and xmlrpc.php – why should you block it?

If you took a good look at the WordPress installation on your hosting, you have surely noticed that the xmlrpc.php file is visible in the website directory. This enigmatic name is associated with the XML-RPC protocol, which is used by WordPress to communicate with other external systems. Its mere presence is not as dangerous as its direct use.

What is the xmlrpc.php file for?

WordPress is CMS software that can be used not only after logging into the administration panel, but also using external applications. The xmlrpc.php file is responsible for enabling communication with and to the application using the XML-RPC function, which has been available in WordPress almost from the beginning of its existence. Over the years, it turned out that this feature creates potentially dangerous opportunities and makes it easier to hack into websites that use WordPress applications.

One of the options that used the XML-RPC feature was the site-specific pingbacks and trackbacks. If you are browsing your WordPress settings, you will surely come across these names in your Discussion settings.

What are the dangers of an active xmlrpc.php file?

The xmlrpc.php file and the XML-RPC function, if enabled, are a very easy morsel for a potential hacker. There are many possibilities of using this option, but the most common 2 uses of this vulnerability are:

  • Brute force attacks
  • DDOS attacks on the website

It is worth mentioning that XML-RPC is used in the current WordPress environment much less often than a few years ago. Nevertheless, its presence is a potential threat to the site itself.

How to block an xmlrpc.php file?

Disabling XML-RPC does not delete the file itself (which is not worth doing anyway), but most of all it blocks any potential traffic that may be accessing it. To protect your website, use the options provided by the web hosting and the WordPress application itself.

Block xmlrpc.php via WordPress

For this type of lock, use the functions.php file, which you can find in the AppearanceTheme File editor tab. To the functions already present (this file may also be empty), add the line:

add_filter('xmlrpc_enabled', '__return_false');


Lock xmlrpc.php file using .htaccess file on hosting

Thanks to the hosting functionality, you can also block such a file by editing the .htaccess file in the website directory. Add a line to the content of the file:

<files xmlrpc.php>
Order allow, deny
Deny from all

You do not know how to properly edit this file? Check out the example manual that explains how to use the .htaccess file on any WordPress hosting.

How to check if a WordPress website is using XML-RPC?

At first glance, you cannot tell if your website has XML-RPC enabled. To perform the test, go to the website at https://xmlrpc.eritreo.it/ and enter the full URL of your website.

If the test is successful (green tick) – the page uses this function and is unsecured. A red cross means that access to the script and functions is blocked.

Leave a Reply

Your email address will not be published.