How to Combat XML-RPC Attacks On WordPress

WordPress is the world’s most popular content management system, powering over 40% of all websites on the internet. Its massive popularity and open-source nature, however, make it a frequent target for cyberattacks. While many security threats are well-known, one of the most overlooked yet dangerous vulnerabilities lies in an outdated feature known as XML-RPC. This protocol, once a cornerstone of remote publishing for WordPress, has become a significant security liability, a gateway for sophisticated brute force attacks and distributed denial-of-service (DDoS) campaigns. Understanding what XML-RPC is, how it’s exploited, and—most importantly—how to secure your site from its inherent risks is no longer an optional security measure; it is a critical step in protecting your digital presence.

What is XML-RPC?

XML-RPC, which stands for “Extensible Markup Language – Remote Procedure Call,” is a protocol that allows a client to make procedure calls on a remote server. In simple terms, it’s a way for different applications to communicate with each other over the internet. For WordPress, this protocol was historically used to enable remote publishing from desktop or mobile clients, as well as to power features like trackbacks and pingbacks.

A file named xmlrpc.php is at the core of this functionality, residing in the root directory of every WordPress installation. When a client application wants to perform an action on your WordPress site (like posting a new article or retrieving a list of recent posts), it sends an HTTP POST request to this file, with the command and data encoded in XML. The server processes the request and sends back a response, also in XML. While this provided useful functionality in the past, its age and inherent vulnerabilities have made it a prime target for cyber attacks. The modern WordPress REST API has largely replaced XML-RPC, rendering it obsolete for most users and turning it into a significant security liability.

How XML-RPC Attacks Occur

XML-RPC attacks primarily exploit two major vulnerabilities in the xmlrpc.php file: its ability to handle multiple commands in a single request and its role in processing pingbacks. These flaws allow attackers to bypass standard security measures and launch highly effective attacks.

Brute Force Attacks

A brute force attack is a trial-and-error method used to guess a user’s login credentials. In a typical brute force attack against a WordPress login page, a hacker might be blocked after a few failed attempts by a security plugin or a firewall. However, XML-RPC attacks are different. The system.multicall method in XML-RPC allows attackers to bundle hundreds or even thousands of login attempts into a single HTTP request.

How it works:

1. An attacker sends a single POST request to the xmlrpc.php file.
2. The request’s XML body contains multiple calls to the wp.getUsersBlogs method, each with a different username and password combination.
3. The server processes all these login attempts at once.
4. Because this is a single request, it can bypass security measures that are designed to limit login attempts on the standard wp-login.php page. This makes it incredibly difficult to detect and block.
5. Once a correct username and password combination is found, the attacker can gain full access to the WordPress dashboard.

Distributed Denial of Service (DDoS) Attacks

DDoS attack involves flooding a website with a massive amount of traffic from multiple sources, overwhelming the server and making the site inaccessible to legitimate users. Attackers can leverage the XML-RPC pingback feature to launch these attacks.

How it works:

1. A pingback is a notification that your WordPress site receives when another blog links to one of your posts. The xmlrpc.php file handles this communication.
2. Attackers can exploit this feature by using a network of compromised servers (a botnet) to send a flood of fake pingback requests to the target site’s xmlrpc.php file.
3. The attacker’s command instructs your WordPress site to send pingbacks to a third-party target. The pingbacks are sent from your server’s IP address.
4. By using the pingback feature, the attacker essentially turns your WordPress site into a participant in the DDoS attack against a different target.
5. The high volume of requests also consumes your server’s resources, potentially causing your own site to slow down or go offline, a form of self-DDoS.

How to Combat XML-RPC Attacks On WordPress: Securing Your Site

Since XML-RPC is now largely obsolete for most WordPress users, the most effective way to protect your site is to disable it entirely. There are a few different ways to do this, ranging from the very simple to the more technical. Before you begin, always back up your website.

Method 1: Using a Plugin (The Easiest Way)

This is the recommended method for most users as it’s the simplest and requires no code.

1. Log into your WordPress admin dashboard.
2. Navigate to Plugins > Add New
3. In the search bar, type “Disable XML-RPC-API”
4. Find a reputable plugin like “Disable XML-RPC-API” and click Install Now
5. After installation, click Activate

That’s it! The plugin will automatically disable the XML-RPC functionality on your site. Alternatively, some plugins, like “Disable XML-RPC Pingback,” allow you to keep the core XML-RPC functionality while disabling only the vulnerable pingback feature. Choose the one that best fits your needs.

Method 2: Editing Your .htaccess File (More Technical)

This method involves adding a few lines of code to your .htaccess file, which is a powerful configuration file for Apache servers.

1. Access your site’s files. You can do this using an FTP client (like FileZilla) or your hosting provider’s file manager in cPanel or a similar dashboard.
2. Navigate to your WordPress site’s root directory. This is the folder that contains wp-admin<, wp-content, and other core files.
3. Locate the .htaccess file. If you can’t see it, make sure your FTP client or file manager is set to show hidden files.
4. Download the .htaccess file as a backup. This is super important in case something goes wrong.
5. Open the .htaccess file in a plain text editor.
6. Add the following code snippet at the very top of the file, before any existing code:

# Block WordPress xmlrpc.php requests

order deny,allow
deny from all

7. Save the file and upload it back to your site’s root directory, overwriting the old one.

This code tells your server to deny all requests to the xmlrpc.php file, effectively blocking all XML-RPC communication. If you need to allow a specific IP address to use XML-RPC (for a mobile app, for example), you can modify the code:

# Block WordPress xmlrpc.php requests

order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx

Replace xxx.xxx.xxx.xxx with the specific IP address you want to whitelist.

Method 3: Adding Code to functions.php(Alternative Code Method)

You can also disable XML-RPC by adding a filter to your theme’s functions.php file.

1. Access your site’s files via FTP or your hosting provider’s file manager.
2. Navigate to wp-content/themes/ and looks for your theme’s directory folder.
3. Find the functions.php file.
4. Download and back up the functions.php file.
5. Open the file in a text editor.
6. Add the following code at the end of the file, right before the closing ?>tag (if it exists):

add_filter('xmlrpc_enabled', '__return_false');

7. Save the file and upload it back to the server.

This code snippet tells WordPress to return a false value whenever a check is made to see if XML-RPC is enabled, effectively disabling it.

Why You Should Disable XML-RPC (Unless You Need It)

In the past, XML-RPC was essential for connecting WordPress to external services and applications. However, with the advent of the WordPress REST API in version 4.7, this is no longer the case. The REST API offers a more secure and efficient way for applications to interact with your site.

The majority of WordPress users, especially those who don’t use the legacy mobile app or specific plugins that still rely on XML-RPC (like older versions of Jetpack), do not need it. Keeping it enabled introduces an unnecessary attack vector that can put your site at risk. By disabling it, you close a significant security hole and reduce your site’s vulnerability to brute force and DDoS attacks.

In Summary

Having understood the inherent risks associated with XML-RPC, it’s clear that proactive security measures are non-negotiable for any WordPress site owner. By disabling this outdated protocol, you are not only mitigating the threat of brute force attacks that could compromise your site’s credentials but also preventing your server from being unknowingly used in a larger DDoS attack. The methods outlined—whether through a simple plugin, a direct edit to the .htaccess file, or a snippet in functions.php — provide straightforward and effective solutions to this pervasive problem.