What is XML-RPC?
The term XML-RPC (Remote Procedure Call) may seem a bit strange to WordPress users. Unlike the other popular WordPress terminologies, XML-RPC is rarely used in WordPress tutorials. First, we can understand what this actually means before making the decision whether to disable it or not. XML-RPC functionality of WordPress enables desktop apps, mobile apps, and other services to communicate with our WordPress installation. There are tools like windows live writer that can be used to publish posts to our WordPress website without actually logging in to our dashboard. These tools communicate with WordPress through XML-RPC.
In short XML-RPC functionality allows remote access to our WordPress system through which an external application can create a new post, edit a post, add comments etc. The entire list of functionalities enabled through this method is available here for my tech-savvy readers.
The tools like windows live writer is of great use especially when we are running a multi-author blog. We may not always want to provide dashboard access to every author on our website and in such cases, windows live writer proves to be of great advantage. So, in that case, why would we want to disable XML-RPC in our WordPress site?
Why is XML-RPC a security threat?
Hackers can exploit the XML-RPC medium in a number of ways. A WordPress XML-RPC attack could try thousands of logins to our website with a single request. This is basically a form of brute force attack. If we had secured our WordPress Installation, then these login attempts would fail. But such over flooded requests will surely slow down our server or eventually kill it resulting in our site downtime. WordPress security pioneers Sucuri has written a detailed post on this topic. The decision to disable XML-RPC is purely based on our preference after analyzing the pros and cons. If this is disabled some features of popular plugins like jetpack might face issues as they depend on XML-RPC for few of their services.
So if we have arrived at a decision to disable XM-RPC to improve our WordPress site security then I will explain the different methods to do it. The first two methods mentioned below require technical knowledge of the WordPress system. So if we are not comfortable with this then we can directly go the third method using a plugin.
Method1: Disable XML-RPC via functions.php
If we are comfortable with adding code snippets, then this method would be the preferred one. Just add the following code snippet to functions.php file in our child theme to disable XML-RPC.
Never make modifications to the parent theme’s functions.php file as this would get overwritten during theme update and all our changes would disappear. Even the modification to child theme’s functions.php file has a downside. If we change the theme then we have to redo the modification again with our new theme. An alternative for this would be to create a site-specific plugin and add the code snippet. In such a case, the code change would remain irrespective of any theme change.
Modification of functions.php file to disable XML-RPC has also another downside. In this case, the remote calls are actually blocked after passing the request to the WordPress core. This will result in resource usage in our blog server. A better and more efficient way is to block the remote procedure calls at a root level even before passing it to WordPress core. This is by modifying the htaccess file as explained below.
Method2: Disable XML-RPC via the .htaccess file
Never try this if we are not sure about the .htaccess file. Any undesired modification to this file would lead to complete failure of our website. Just add the below code snippet to the .htaccess file to completely block XML –RPC.
# DENY START XML RPC REQUESTS
Order Deny, Allow
Deny from all
# DENY END XML RPC REQUESTS
Method3: Disable XML-RPC via plugin
Install and activate Disable XML-RPC WordPress plugin. This plugin does not have any settings page. Once activated, this plugin will block all XML-RPC requests.
Additional Tip: We can test the XML-RPC status in our site by going to the XML-RPC Validator. We can just enter our website URL and check if XML-RPC is disabled or not.