WordPress uses an implementation of the XML-RPC protocol in order to extend functionality to software clients.
This Remote Procedure Calling protocol allows commands to be run, with data returned formatted in XML.
Beginning with WordPress 3.5 the XML-RPC functionality is enabled by default, without a way to disable.
Do I need WordPress XML-RPC?
Most users don’t need WordPress XML-RPC functionality, and it’s one of the most common causes for exploits.
Some clients such as the official WordPress Mobile Apps and Blogger use XML-RPC requests to function.
All of the WordPress XML-RPC requests are remote POST requests to the xmlrpc.php script.
A full list of the different requests that can be made via XML-RPC can be found at XML-RPC WordPress API
Block WordPress xmlrpc.php requests with .htaccess
I want to send WordPress XML-RPC requests from my fictional IP address of 220.127.116.11.
So I can deny all requests to the xmlrpc.php file, except for that IP, using the following .htaccess rules:
# Block xmlrpc.php requests <Files "xmlrpc.php"> order deny,allow deny from all allow from 18.104.22.168 </Files>
If you didn’t need any IP addresses to use XML-RPC requests, just don’t use any allow lines.
Thoughts on “Disable WordPress XML-RPC requests”
@Kyle for Nginx you can also just use the free plugins too:
If you migrate site the rules can be lost in htaccess file, etc. And plugin is support by the Inmotion server too.
I’m using nginx for wordpress and and I can see there are many request for xml-rpc file being made that is causing un-necessary blocking of server.
Please help to bloxk xml-rpc on nginx, site is : https://dealslama.com
If you wanted to block access to the xmlrpc.php in NGINX you can add the entry below to your NGINX configuration. This entry uses the 444 Response which is unique to NGINX and will cause NGINX to terminate the connection to the client requesting it without sending a response which will help save processing power/bandwidth if your server is being attacked.
There is a module for that here: https://wordpress.org/plugins/disable-xml-rpc/
As of February 2015, a plugin disables XML-RPC to where it’s not a problem: https://wordpress.org/plugins/disable-xml–rpc
you can disable per the following.
WordPress v3.5 introduces the filter
You can add this code to your
wp_config.phpafter the line
require_once(ABSPATH .'wp-settings.php');if you want to disable XML-RPC for your site. Surely a better solution is to create a small plugin.
My WP site just got hacked by some Bangladesh’ hackers group. Looking through access logs I discovered xmlrpc.php was flooded with POST requests. No FTP was used in the attack, so I assume hackers must have gained access through the xmlrpc. Disabled permanently.
Thank God they didn’t do more damage.
These discussion helps me to understand xml rpc
No suggestions, the explanation was clear and concise.
By completely blocking xmlrpc.php, isn’t this also disabling the legitimate use of it for pingbacks?