4 Ways to Disable xmlrpc.php in WordPress

by

In order to disable xmlrpc.php which is a security risk for your WordPress site in recent years, we suggest using any of the following methods. xmlrpc.php is a file that is used to remotely connect to WordPress. The WordPress mobile app needs this file. Today has become a security threat. Most of the brute force attempts are executed through it.

Right Way to Disable XMLRPC

Before directly disabling it, it is very important to know whether you use it in the first place. Later you can decide whether you can disable it or not. Below are instances where the xmlrpc.php file is used.

If you are using a WordPress smartphone app, you may not disable it because xmlrpc.php is the file that enables remote access to WordPress through mobile apps. ( Also, there are ways to operate WordPress mobile app with xmlrpc.php disabled to the public)

If you are using Jetpack Plugin, you shouldn’t disable xmlrpc.php. Jetpack needs that file in order to work. Jetpack is also a security plugin in itself, hence do not worry about Brute-Force through xmlrpc.php.

You shouldn’t disable xmlrpc.php if you have enabled pingbacks on your site where any 3rd party links you publish on your posts will alert the referring websites and vice-versa.

How do know that Pingbacks are enabled? Here is a simple solution. As soon as you publish new posts, if your comment box is filled with automatic comments, it is an indication that pingbacks are enabled and xmlrpc.php is not disabled.

If any of the above conditions don’t apply to you. Just disable xmlrpc.php. Keep your WordPress safe against Brute-Force. Also, XML-RPC pingbacks are used to carry out DDoS attacks on your site which increases your hosting resources. It is also possible for hackers to send multiple pingback requests which will finally bring the server down and eventually make it crash.

Here are all the ways you can disable XMLRPC for WordPress.

First, let’s know whether it is enabled or not. Simply add /xmlrpc.php to your domain URL. If the below message is displayed, your XML-RPC is exposed to the public.

xmlrpc Enabled for WordPress

We don’t suggest the method to disable XML-RPC by adding the below filter to Theme Functions. It simply doesn’t work. Technically this filter controls whether XML-RPC methods that require Authentication. With this filter enabled, Brute-Force can still happen.

/* Not the best way to disable xmlrpc.php */
add_filter('xmlrpc_enabled', '__return_false');
/* Not the best way to disable xmlrpc.php */
add_filter('xmlrpc_enabled', '__return_false');

Through Firewall Plugin

We recommend this method if you don’t use any domain-level Firewalls for your WordPress website. Here you will install the Ninja Firewall Plugin. You may be already using it if you have read other posts on our blog.

Once the plugin is activated, First enable the plugin’s Full WAF Mode through its dasboard. Contact your hosting provider for any problems.

Go to ‘Login Protection‘. Enable it and continue with ‘Username + Password‘ instead of Captcha Image and have it always enabled.

Under Various Options, Apply the protection to the xmlrpc.php script by selecting ‘Yes‘ and Save the Changes made. Congratulations! you now have completely disabled Brute-Force attempts by protecting both wp-login.php and xml-rpc.php as well.

Now if you check the /xmlrpc.php URL, it will be password locked. The same password lock will also apply to your WordPress login page. (Test in a guest window. Not in the same browser where you are logged in)

Ninja Firewall Protection for xmlrpc-php

Through Firewall

This is the best method that we recommend. If you are using Firewall at the domain level, and if XML-RPC is blocked there, the request won’t even come to your actual website. So no question of consuming hosting resources.

You can disable XML-RPC through a simple Firewall Rule. Below we have added a simple block rule for the /xmlrpc.php file on Cloudflare. If you still wish to use WordPress mobile app, you also need to add one more ‘Allow‘ Rule along with the previous ‘Block‘ Rule.

Completely Block to Everyone

CloudFlare Block XMLRPC

With the above rule, you are completely blocking access to xmlrpc.php. The safest way to protect WordPress without utilizing any server resources.

Allow with IP Filter

CloudFlare IP Filter XMLRPC

So what the Second Rule does is, when a request comes to xmlrpc.php, it will check the IP address. If it matches with the one in the rule, it will allow. Or else, 1020 Access Denied error as usual. I have personally tested all these conditions. It works.

If this doesn’t work for you, first make sure that Allow Rule is above the Block Rule in the Firewall list. Else, the firewall will just consider to Block. Once everything is blocked, there is no question of allowing. Please refer to the image below. If you face any problems, please do not hesitate to comment. We would love to help you.

Cloudflare Firewall Rule Order XMLRPC

.htaccess Rule

Only use this procedure if you are not using Domain level Firewall. ‘.htaccess’ file is a boon to Apache servers. That doesn’t mean that you can overload it with Rules found on random sites which just give you a false sense of being secured. More Rules = Slow Page Load.

In order to add this rule to your WordPress website, you should be able to login to your hosting account to access the ‘File Manager’ or, you can also access the ‘public_html’ folder through an FTP client like FileZilla.

Before you add rules to it, first download a copy of it on your PC. If something goes wrong, don’t worry. Just delete ‘.htaccess’ file. When you login back to WordPress, go to Settings > Permalinks and click on ‘Save’. A new ‘.htaccess’ file is generated. It is a must to have a ‘.htaccess’ file in your root directory. If you delete it, your security will be compromised.

Add the below lines to the ‘.htaccess’ file after the default WordPress lines end.

# Block xmlrpc.php for Everyone
<Files xmlrpc.php>
Order Allow,Deny
Deny from all
</Files>
# Block xmlrpc.php for Everyone
<Files xmlrpc.php>
Order Allow,Deny
Deny from all
</Files>

If you are using WordPress Mobile App, then you must have a static IP for your internet connection. If you own a static IP, then add the below lines instead of the above ones. Replace xxx.xxx.xxx.xxx with your Static IP. The concept is similar to what we did in Cloudflare Firewall Rule.

# Block xmlrpc.php with IP Filter
<Files xmlrpc.php>
order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx
</Files>
# Block xmlrpc.php with IP Filter
<Files xmlrpc.php>
order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx
</Files>

And this sums up the whole article. If you have any doubts, please let us know. We would love to hear it and help you get them resolved.

WhatsappFacebookTwitterEmail

Please note that our product recommendations are unbiased and targetted to be user-friendly. If you have any recommendations which isn't listed on our site, please feel free to contact us. We would be happy to review it.

Hey Don't Worry! The Email entered will NOT be used for sending NewsLetters. We respect your Privacy 🙂

guest
0 Comments
Inline Feedbacks
View all comments