What Is XML-RPC and How to Stop DDoS Attacks on your WordPress website | WordPress Tutorial For Beginners

XML-RPC is actually a remote procedure call protocol that allows anyone to disturb your WordPress website remotely. In other words, anyone like a hacker can manage your website without logging in manually through the standard “wp-login.php” URL page. It’s extensively used by some plugins, most famously by the Jetpack plugin. However, the word “XML-RPC” has a bad reputation. In this tutorial, I will explain WordPress XML-RPC and how to stop the XML-RPC DDoS attacks on your WordPress website.

Now the question is, how to check this problem If you are not already facing this. So you can check if XML-RPC is already Enabled to protect Your WordPress website from DDoS attacks.

A quick way to check if your site is defenseless is to visit the following URL from a browser:

What Is XML-RPC and How to Stop DDoS Attacks on your WordPress website | WordPress Tutorial For Beginners

Type in your browser https://www.yourwebsite.com/xmlrpc.php (replace www.yourwebsite.com with your own domain name)

If it is enabled, you will get a response like that “XML-RPC server accepts POST requests only.”

The Dangers and Benefits of XML-RPC

There’s been a lot of back and forth in the WordPress security community about XML-RPC. There are mostly two concerns:

  1. XML-RPC can be used to stop DDoS attacks (Distributed Denial of Service) a site
  2. It can be used to try username/password combinations to access your website frequently.

Here are a few steps and ways to avoid that kind of attack on your website against XML-RPC – starting from the lightest touch to the heaviest.

How to change WordPress Website’s default Login URL with a Plugin

Method 1: Disable Pingbacks

This is a method that uses your server as an unwitting participant in an attack against another server. In this case, someone tells your site, “this URL is linked to your blog!” And then, your site replies with a “pingback” to that URL.

But there is no proof that the URL actually did link back to you. Do this with hundreds of vulnerable WordPress sites, and you have a DDoS (Distributed Denial of Service)  attacks on your hands! The most simple and easiest method to avoid your site from being used in this manner is to add the following code to your theme’s functions.php:

function stop_pings ($vectors) {
unset( $vectors['pingback.ping'] );
return $vectors;
}
add_filter( 'xmlrpc_methods', 'stop_pings');

Method 2: Prevent All Authentication Requests via XML-RPC

This second method regulates if you want to allow “XML-RPC” methods that authenticate users. For example, publishing content through e-mail. The site will receive your e-mail, allow you via XML-RPC, and then publish it if the credentials match.

Many people are uncomfortable with XML-RPC’s ability to take in random calls like this. It’s what led to hundreds or thousands of authentication attempts in the first place. WordPress has also addressed this specific hacking method; you can turn it off by using a shortcode in your theme’s functions.php file.

add_filter('xmlrpc_enabled','__return_false');

You must know that this is not a similar method as the first I mentioned. This shortcode only restricts the authentication methods and leaves all others untouched, like pingbacks.

Method 3: Disable Access to xmlrpc.php

This method is the most extreme level of blocking that completely restricts all XML-RPC functionality. So you need to edit the “.htaccess” file at the root of your WordPress website directory (www.yourwebsite.com/.htaccess). You need to add the following code in the mentioned file.

<files xmlrpc.php>
Order allow, deny
Deny from all
</files>

Now with the above denial rules in effect, trying to access xmlrpc.php will be met with the following page:

What Is XML-RPC and How to Stop DDoS Attacks on your WordPress website | WordPress Tutorial For Beginners

That’s all; you have successfully disabled XML-RPC altogether on your WordPress Site.

Recent Articles

Apple Announced MacBook Pro, MacBook Air, Mac Mini with self-designed M1 silicon chips

Apple’s long separation is official with Intel. On Tuesday, the tech giant introduced its first Mac computers, the MacBook Air, Mac Mini, and 13-inch...

Microsoft, IBM and the Future of Healthcare Data

Not only in the U.S. but in most countries, healthcare is a blend. The absence of interoperability and fact-based guidance are some of the...

Dedicated Internet Access, Advantages, and Drawbacks

Nothing in a work environment is worse than poor Internet connectivity. It is evident to everyone that a poor Internet connection will significantly hurt...

Related Stories