How (And Why) To Disable WordPress XML-RPC

In my opinion, the XML-RPC function in WordPress is a nightmare. Back in the day, core WordPress contributors thought it would be a cool idea to allow remote connections to WordPress websites, for the purpose of such things like a desktop blogging client (or more recently, for the WordPress mobile apps that allow blog management from a smartphone, etc).

They quickly discovered, however, that XML-RPC was a primary target for hackers and server exploitation. In fact, prior to WordPress 3.5, the XML-RPC function was disabled by default in all WordPress installations. However, in a WordPress core track ticket that announced XML-RPC would be enabled by default in 3.5, contributor @nachin explained:

Quite a bit has changed since we introduced off-by-default for XML-RPC. Their code has improved, and it is no longer considered a second-class citizen when it comes to API development, thanks to the work of a large team of awesome contributors. Security is no greater a concern than the rest of core. There is no longer a compelling reason to disable this by default. It’s time we should remove the option entirely.

Simply put, this is 100% wrong. Just several months later, web security firms Incapsula, Sucuri, and others reported massive DDOS attacks (in the millions) were being carried out against WordPress websites by using the XML-RPC script included in all WordPress installations (and this isn’t even mentioning the millions of “pingback/trackback” spam attacks that happen on a daily basis via XML-RPC). Now a few years on, and there are hundreds and hundreds of bloggers across the web posting bewildered support requests and testimonies claiming their website or server is “crashing” because of XML-RPC.

All this, because of a function that literally NOBODY uses. The only popular use for XML-RPC is its “pingback” functionality, which again, is 99% of the time just a feature abused by hackers and spammers to exploit poorly managed WordPress blogs (i.e. posting links to Viagra, etc). I mean really, if we asked around, what percentage of WordPress users would say they use their smartphone for blogging, or would say they actually use the “pingback/trackback” feature on a daily basis?

The answer for 99% of WordPress bloggers would be a resounding NOPE!

Correction: The popular Jetpack plugin also uses XML-RPC for some of its features… but frankly, you shouldn’t be using Jetpack if you care about site performance, as it calls various 3rd party resources and is generally a poor, overloaded concept.

Anyway, the in-depth arguments against XML-RPC can be saved for another day. For now, suffice it to say that 99% of the people reading this should go ahead and disable XML-RPC using the methods below:

1. Disable XML-RPC. Our free WordPress plugin is by far the easiest way to disable XML-RPC completely on your WordPress website. Simply install it and forget it, and you are (mostly) good to go. However, bots can still target your actual /xmlrpc.php file on your server (causing excessive load in many cases), so this is only a partial solution.

2. Theme Functions. If you don’t want to install the plugin above, you can simply put the below code in your theme’s functions.php file. However, this is not recommended, as the WordPress community has been encouraging the removal of theme-specific functions and implementing a WordPress plugin instead. Anyway, here is the code:

add_filter('xmlrpc_enabled', '__return_false');

3. Disable Pingbacks/Trackbacks. If you have done either #1 or #2 above, this setting won’t matter much. Still, for good measure (and to keep your blog’s administrators aware) you should also go into WordPress Settings >> Discussion and clear the checkbox for “Allow link notifications from other blogs (pingbacks and trackbacks) on new articles”

4. Apache htaccess. As mentioned in #1, “disabling” XML-RPC functions in WordPress is only a partial solution to stopping DDOS attacks and/or pingback spam. To REALLY block abuse of your xmlrplc.php file, you must deny public access:

## block any attempted XML-RPC requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from 123.123.123.123
</Files>

5. Nginx server block. Last but not least, hopefully you are using an Nginx server rather than Apache these days (as do all of our managed hosting clients). If so, you can add the below code to your appropriate Nginx server block rules:

## block any attempted XML-RPC requests
location = /xmlrpc.php {
    deny all;
    }

Note: some bloggers and web hosting companies have advised WordPress users to simply “delete” the xmlrpc.php file after they install WordPress. This is a bad idea for a few reasons: firstly, whenever you update WordPress, that file will come back anyways, and secondly, anything trying to access the file will generate a 404 error (rather than “denied”) which isn’t really proper server management. Depending on your setup, 404 errors could still put great load on your website too.

Tags: Apache, DDOS, htaccess, Nginx, Pingbacks, Server Management, Spam, Trackbacks, XML-RPC