Blocking xml-rpc Access

I’ve heard that I should disable xml-rpc on a WordPress website.

Why should I disable it and how?

XML-RPC What is it? And how to Disable.

What is xml-rpc?

This is the connection for the WordPress API interface.

It allows apps such as the WordPress app on an iPhone or Android device to connect to the WordPress website. With the app I can readily edit and crate blogs posts.

No need to navigate to the website with a browser to login and perform these actions.

Trackbacks and Pingbacks whereby the website checks to see who is referencing its post content.

The popular JetPack plugin, developed by Automattic, relies heavily on the use of xml-rpc.

Why would you want to restrict it?

It poses a security risk.

There’s potentially less chance of detection attempting to gain access this way.

Has the potential to be the target for a denial of service attack.

How to restrict it?

xml-rpc is implemented using the file xmlrpc.php.

Access to the file can be restricted completely or limited to configured IP addresses.

To do this we’ll use the file .htaccess, located in the root of the website, restricting file access by IP Address.

Here’s the block of lines which we’ll add to the file.

# block xml-rpc
<Files "xmlrpc.php">
Order Deny,Allow
deny from all
allow from

We’ll chose to set the order as deny first then allow

Order Deny, Allow

This allows us to block all sites with the simple

deny from all

A one line global block on access.

If we are implementing a full restriction on access that’s all we would need.

But to allow access from a single IP address we add the following

allow from

Further instances of this can be added with single IP addresses or ranges.

Further thoughts

Its going to be a compromise. is there a plugin or app which you can’t do without? If the answer is yes then completely shutting down xml-rpc is probably not going to be an option.

Maybe restrict the access to a limited range or IP addresses. Dependant upon what you wish to connect to it this may be an option. Do you only blog with the WordPress app from a fixed location? Then not a problem.

If none of these is an option for you then leaving access to xml-rpc open will be your option.

Anything more?

Yes, you can use one of the WordPress security plugins to monitor and take action against attempts to gain access via xml-rpc.

And there’s the development of the WordPress Rest API – check to see whether there’s an equivalent of your must have app or program which uses this.


WordPress Codex: XML RPC Support

Wikipedia: XML RPC