Are XML-RPC attacks dangerous in WordPress?
Do you manage your WordPress site via a third-party app or from WordPress mobile app then you should read this and understand how this is a security concern and what you step’s you should take as precautions to avert XML-RPC attacks?
What is XML-RPC?
XML-RPC is a protocol using which the data/information is exchanged between computers in a network. The data/information here is encoded in XML format and then transported over HTTP to the remote server. Upon receiving the request, the server performs the desired action. In a way you can call this as a remote control to your site. In the context of WordPress, this is more about xml-rpc.php file.
A typical example is managing your WordPress site using third party dashboards or WordPress mobile apps. Imagine you are changing something or updating an article via the app once you hit that publish button your content is encoded in XML format and transferred over to your remote server via HTTP. On the remote server end your information is received by xmlrpc.php file which does the basic checks and performs the needed actions. This is the usual case when you are on move or in a place where you cannot access your computer.
What are the uses of XML-RPC?
XML-RPC has many practical uses however we will list out a few of them here to help you decide whether to keep it or to disable it.
- Mobile Apps: You may have plans to develop an app for your website, XML-RPC will help you with the data exchange.
- Communication: Besides the above xmlrpc.php will help you communicate with other applications based on Python, Perl, etc. and this is because as a protocol they use the same language thats understood by both the parties.
- Remote Management: This is the main reason it is still a part of WordPress Core Functions. WordPress has apps(iOS and Android) of its own which uses xmlrpc.php to remotely manage the WordPress site.
What are XML-RPC attacks?
These are the type of attacks which exploits XML-RPC to affect you in one of the below ways.
- Brute Force: In this attack, the attacker will try to gain entry to your site by using the combination of various usernames and passwords. They have tools that help them test thousands of different username-password combinations using a single command. This allows them to bypass security tools that typically detect and block brute force attacks.
- DDOS: In this type of attack a hacker will send in a large amount of traffic with an intention to bring you website down. Hackers would use the pingback feature in WordPress to send pingbacks to thousands of sites instantaneously. This feature in xmlrpc.php gives hackers a nearly endless supply of IP addresses to distribute a DDoS attack over.
Other than above imagine the amout of stress your server might be facing.
Also read Our SEO Guide
What can you do to save yourself from XML-RPC attacks?
There are a number of ways you can save yourself from the agony we will list out a few of them below to get you started.
There are a number of plugins available to help you control xmlrpc.php transactions and we will list out the few that you may try it out.
Disable XML-RPC Pingback
This is my preferred approach and this will stop all incoming xmlrpc.php requests before it gets passed onto WordPress. In this method you will be editing you .htaccess file.
- Open up your .htaccess file using FTP client or the File manager of your choice (ensure to turn on ‘show hidden files’).
- Inside your .htaccess file, add the below code:
# Block WordPress xmlrpc.php requests <Files xmlrpc.php> order deny,allow deny from all allow from xxx.xxx.xxx.xxx </Files>
Note: xxx.xxx.xxx.xxx is the IP address you wish to allow access xmlrpc.php, and if you want a complete block then remove this line completely.
XML-RPC attacks had been pretty damaging for few WordPress website owners hence It is a very good idea to disable this for the security of your WordPress Site unless you have unavoidable reasons to keep it enabled.
Have you secured your WordPress by disabling the xmlrpc.php. Did you do it by using a plugin or did you edit the .htaccess file? What made you come here looking for a solution? Share your experience in the comments below.