XML-RPC is a remote procedure call (RPC) protocol that uses XML to encode its calls and HTTP as a transport mechanism.
This works by sending an HTTP request to a server implementing the protocol. The client in that case is typically software that calls a single method of a remote system. Multiple input parameters can be passed to the remote method, one return value is returned.
New XML-RPC Path
By default the path to XML-RPC file is domain_root/xmlrpc.php Through this option it can be changed to anything else. This ensures the protocol will not be called by anyone who doesn’t know the actual path.
Block default xmlrpc.php
This blocks the default path to the xmlrpc.php making the service unavailable at the domain_name/xmlrpc.php
The New XML-RPC Path has to be filled in with a value, for this option to work.
Disable XML-RPC methods requiring authentication
As default, certain methods require authentication for the protocol to be used along with a remote application:
- system.multicall
- system.listMethods
- system.getCapabilities
- demo.addTwoNumbers
- demo.sayHello
- pingback.extensions.getPingbacks
- pingback.ping
- mt.publishPost
- mt.getTrackbackPings
- mt.supportedTextFilters
- mt.supportedMethods
- mt.setPostCategories
- mt.getPostCategories
- mt.getRecentPostTitles
- mt.getCategoryList
- metaWeblog.getUsersBlogs
- metaWeblog.deletePost
- metaWeblog.newMediaObject
- metaWeblog.getCategories
- metaWeblog.getRecentPosts
- metaWeblog.getPost
- metaWeblog.editPost
- metaWeblog.newPost
- blogger.deletePost
- blogger.editPost
- blogger.newPost
- blogger.getRecentPosts
- blogger.getPost
- blogger.getUserInfo
- blogger.getUsersBlogs
- wp.restoreRevision
- wp.getRevisions
- wp.getPostTypes
- wp.getPostType
- wp.getPostFormats
- wp.getMediaLibrary
- wp.getMediaItem
- wp.getCommentStatusList
- wp.newComment
- wp.editComment
- wp.deleteComment
- wp.getComments
- wp.getComment
- wp.setOptions
- wp.getOptions
- wp.getPageTemplates
- wp.getPageStatusList
- wp.getPostStatusList
- wp.getCommentCount
- wp.deleteFile
- wp.uploadFile
- wp.suggestCategories
- wp.deleteCategory
- wp.newCategory
- wp.getTags
- wp.getCategories
- wp.getAuthors
- wp.getPageList
- wp.editPage
- wp.deletePage
- wp.newPage
- wp.getPages
- wp.getPage
- wp.editProfile
- wp.getProfile
- wp.getUsers
- wp.getUser
- wp.getTaxonomies
- wp.getTaxonomy
- wp.getTerms
- wp.getTerm
- wp.deleteTerm
- wp.editTerm
- wp.newTerm
- wp.getPosts
- wp.getPost
- wp.deletePost
- wp.editPost
- wp.newPost
- wp.getUsersBlogs
Activating the option, methods requiring authentication will be blocked through a call.
Brute force attacks often target the XML-RPC service. Therefore, it’s advisable to enable this option unless you are using the service for specific purposes, such as with a remote mobile app.
Disable XML-RPC methods requiring authentication
Disabling the XML-RPC service in WordPress is a prudent step to enhance your site’s security. While it serves legitimate purposes, its vulnerability to exploitation by hackers makes it a liability for website owners. By taking this simple security measure, you can significantly reduce the risk of unauthorized access and brute force attacks, keeping your WordPress site safe and secure.
Before disabling the XML-RPC, ensure the service is not used for any of the following:
- Mobile Apps: XML-RPC allows users to manage their WordPress sites via mobile apps. This feature makes it convenient for bloggers and administrators to create, edit, or delete posts from smartphones and tablets.
- Third-Party Services: Many third-party services, like Jetpack, rely on XML-RPC to connect to WordPress sites for features such as monitoring, statistics, and site management.
- Content Syndication: XML-RPC can be used to syndicate content between different WordPress sites, sharing posts and updates.
The Benefits of Disabling XML-RPC:
- Improved Security: Disabling XML-RPC eliminates a potential entry point for attackers, protecting your site from brute force attacks and other malicious activities.
- Reduced Server Load: By preventing DDoS attacks through XML-RPC, you can reduce the load on your server and improve site performance and availability.
- Better Control: Disabling XML-RPC ensures that your site remains under your control, minimizing the risk of unauthorized access or content manipulation.
Remove pingback
A pingback is one of four types of link-back methods for Web authors to request notification when somebody links to one of their documents. This enables authors to keep track of who is linking to, or referring to their articles Using this option this functionality can be removed.