What is the Xmlrpc.php File and What Does it Do?
The xmlrpc.php file was implemented to let let webmasters interact with their sites. For all intense and purposes it acted like an API. A really bad and insecure one. “RPC” stands for Remote Procedure Call, a method that uses XML passed via HTTP as the transport mechanism. While Xmlrpc.php had many functions, trackbacks and pingbacks are the most widely used and problematic.
Other functions allowed webmasters interact through mobile or even load pre-written articles. This was important when internet connections were slow and made editing online difficult. The internet has moved on and is much faster so this functionality is not as useful as it once was.
XML-RPC Early Days to Now
Pre-2008 XML-RPC could be disabled. This was a handy feature that allowed a webmaster to turn off the unnecessary functionality. In 2008 the WordPress iPhone app was added to the app store and webmasters could no longer easily disable XML-RPC functionality. This left WordPress sites open and vulnerable. Why do we say vulnerable? As we hinted above xmlrpc.php was not created with security in mind.
WordPress has implemented a new REST API and will be phasing out XML-RPC. The solution is still in a transition phase and XML-RPC is still available. So webmasters should still be concerned. Once the API is fully implemented and XML-RPC is removed then webmasters can relax about xmlrpc.php and start worrying about the new issues that the API will have.
Why Webmasters should Disable Xmlrpc.php
Security of a website is possibly the main concern of webmasters after content. XML-RPC greatly hinders a webmasters ability to maintain security.
Why is xmlrpc.php a security risk? There are 2 main methods.
1. XML-RPC allows for brute force attacks on WordPress installations. a hacker will use a bot programme to brute force attack a Website. By attacking xmlrpc.php the hacker can bypass most of the security plugins that WordPress are designed to detect and block brute force attacks. A hacker can test thousands of username and password combinations in seconds.
2. DDoS attacks are the next big issue with XML-RPC. Hackers can use the pingback feature of WordPress to send thousands of pingback request that can make MySQL or whatever database package is being used to fall over. This will take the WordPress site offline and in severe cases can cause a corruption of the MySQL database.
While strong passwords can help to hold off a hacker using method 1. It will not help a hacker who is attempting method 2.
One thing we do have to mention is that the very popular Jetpack plugin still uses XML-RPC. If you are considering disabling xmlrpc.php and are using Jetpack then you might need to reconsider what we are proposing.
How a Webmaster can Disable xmlrpc.php
- Using a plugin to disable xmlrpc.php. We have tried two and they both work well. Disable XML-RPC and Remove & Disable XML-RPC Pingback. You do this by going to the Plugins area and clicking on Add new , search for xmlrpc, pick one of the plugins and click the install now button.
- Deleting the xmlrpc.php file. This sounds drastic but it does not actually affect WordPress at all. The only systems it will affect are trackback on pingback. You may need to get a systems admin to do this for you. The only problem is that when WordPress is upgraded it can put the file back.
- A webmaster can block access to xmlrpc.php with web server commands, although once again the services of a system administrator may be required. Both Apache and NGINX, which are the two main Web Server applications allow for the blocking of access to certain files in a directory.
While xmlrpc.php is not long for this world, it currently is still an issue and must be dealt with. The new API will be taking over all the functionality of xmlrpc.php whilst providing much more security. We highly recommend disabling it especially if you are having issues with hackers.
XML-RPC was a great solution 10+ years ago but is now very long in the tooth. The developers of WordPress have recognized this and are phasing it out. WordPress Webmasters should prepare themselves for the day when xmlrpc.php no longer exists.