If you’re not using XML-RPC, you should disable it from your site to prevent bots/hackers from hacking your site or slowing down your site with repeat XML-RPC attacks. Usually, the biggest problem with XML-RPC attacks is not that they get in but that they bog down your server with so many blocked requests.
- XML-RPC is used to commonly used to connect to your site and blog from an a mobile app or remote publishing service. If you never publish to your site from anywhere but directly in WordPress admin itself, you are fine to disable it!
- You can easily block all xmlrpc.php requests using .htaccess to prevent them from even getting passed into WordPress. Don’t bother using a security plugin for this, they’re either slower to process the block or they essentially do the same by adding this same bit of code to your htaccess.
Apache/LiteSpeed servers can paste the following code in your .htaccess file (preferably at the very top):
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from 123.123.123.123
</Files>
Quick note…if you need to leave it on for certain IP, you can whitelist your IP and also Jetpack IP’s (if you use it).
Nginx servers can paste the following code into the functions.php (submitted by Regev):
// Disables XML-RPC
add_filter( ‘xmlrpc_enabled’, ‘__return_false’ );
function disable_x_pingback( $headers ) {
unset( $headers[‘X-Pingback’] );
return $headers;
}
add_filter( ‘wp_headers’, ‘disable_x_pingback’ );
add_filter( ‘xmlrpc_methods’, function( $methods ) {
unset( $methods[‘pingback.ping’] );
return $methods;
} );
Reference link to learn more about XML-RPC:
Latest Guides
How does Google Adsense Works?
A beginners guide to Adsense. Everything you need to know to get…
Learn How To Optimize Shopify Liquid code
Why you should optimize liquid code? There are several reasons why you…
Best CDN Providers for WordPress
CDN’s are becoming all the rage nowadays ever since CloudFlare offered their…
Is WordPress insecure? (no, it isn’t!)
I think it’s a silly question and often misinterpreted by newbies/non-coders for…