Do you manage your WordPress site via a third-party app or from WordPress mobile app then you should read this and understand how this is a security concern and what you step’s you should take as precautions to avert XML-RPC attacks?
XML-RPC is a protocol using which the data/information is exchanged between computers in a network. The data/information here is encoded in XML format and then transported over HTTP to the remote server. Upon receiving the request, the server performs the desired action. In a way you can call this as a remote control to your site. In the context of WordPress, this is more about xml-rpc.php file.
A typical example is managing your WordPress site using third party dashboards or WordPress mobile apps. Imagine you are changing something or updating an article via the app once you hit that publish button your content is encoded in XML format and transferred over to your remote server via HTTP. On the remote server end your information is received by xmlrpc.php file which does the basic checks and performs the needed actions. This is the usual case when you are on move or in a place where you cannot access your computer.
XML-RPC has many practical uses however we will list out a few of them here to help you decide whether to keep it or to disable it.
These are the type of attacks which exploits XML-RPC to affect you in one of the below ways.
Other than above imagine the amout of stress your server might be facing.
Also read Our SEO Guide
There are a number of ways you can save yourself from the agony we will list out a few of them below to get you started.
There are a number of plugins available to help you control xmlrpc.php transactions and we will list out the few that you may try it out.
Disable XML-RPC Pingback
This is my preferred approach and this will stop all incoming xmlrpc.php requests before it gets passed onto WordPress. In this method you will be editing you .htaccess file.
# Block WordPress xmlrpc.php requests <Files xmlrpc.php> order deny,allow deny from all allow from xxx.xxx.xxx.xxx </Files>
Note: xxx.xxx.xxx.xxx is the IP address you wish to allow access xmlrpc.php, and if you want a complete block then remove this line completely.
XML-RPC attacks had been pretty damaging for few WordPress website owners hence It is a very good idea to disable this for the security of your WordPress Site unless you have unavoidable reasons to keep it enabled.
Have you secured your WordPress by disabling the xmlrpc.php. Did you do it by using a plugin or did you edit the .htaccess file? What made you come here looking for a solution? Share your experience in the comments below.