About XML-RPC
XML-RPC is a protocol for remote procedure calls which uses XML for the data exchange. In XML-RPC the client that wants to make a call to a remote method creates the input parameters in the form of XML and sends it via an HTTP request to a remote server implementing the XML-RPC protocol.
Understanding XML-RPC in WordPress
WordPress is a complete blogging platform. It is made highly customizable and easy to develope the website. Using WordPress XML-RPC can create WordPress blogging clients, some other software which does some batch tasks like creating multiple posts from a file, etc. The XML-RPC system can be extended by the Word Press plugins to modify its behaviour. The XML-RPC functionality is turned on by default since WP 3.5. XML-RPC turned on by default – especially with the mobile devices and third-party desktop apps that use it to communicate with WordPress.
The issue with XMLRPC is that it can cause CPU and memory exhaustion and the site’s database to reach the maximum number of open connections. That will cause the vulnerable site (and server) to go down for a period of time, hence affecting Availability of your website.
There are four ways that WP‘s XML-RPC API could be abused by an attacker:
Intel gathering — attacker may probe for specific ports in the target’s internal network
Port scanning — attacker may port-scan hosts in the internal network
DoS attacks — attacker may pingback via large number of sites for DoS attack
Router hacking — attacker may reconfigure an internal router on the network
Possible workarounds
1. If you aren’t using the XML-RPC functionality for anything, to protect against any vulnerabilities, add below lines .htaccess:
# protect xmlrpc <IfModule mod_alias.c> RedirectMatch 403 /xmlrpc.php </IfModule>
To test that it’s working, try accessing the xmlrpc.php file in your browser. If it’s working, you’ll get a “403 – Forbidden message”.
2. To redirect requests for xmlrpc.php to a custom page, modify the RedirectMatch like so:
# protect xmlrpc Redirect 301 /xmlrpc.php http://example.com/custom-page.php
3. Denying all access to xmlrpc.php:
# protect xmlrpc <Files xmlrpc.php> Order Deny,Allow Deny from all </Files>
4. Allow access to xmlrpc.php for specific IP addresses only.
# protect xmlrpc <Files xmlrpc.php> Order Deny,Allow Deny from all Allow from <IP> Allow from <IP> </Files>
You can also add following code to your wp_config.php after the line require_once(ABSPATH . ‘wp-settings.php’); if you want to disable XML-RPC for your site.
add_filter('xmlrpc_enabled', '__return_false');