Insights > Blog

How to Disable XML-RPC in WordPress

Author: Jonathan Willian Coradi is a Red Team Services Consultant at Cipher

XML Remote Procedure Call (XML-RPC) is a remote communication interface used by WordPress enabled by default since version 3.5. It allows communication between WordPress and other blogging platforms, such as trackbacks and pingbacks.

Pingbacks and tracebacks are responsible for the notifications that appear in the comments when some other website links to your content. Currently, XML-RPC has been replaced by the REST API, making it obsolete and no longer usable for communication.

But why disable XML-RPC from WordPress? The reason for this is because it has several security vulnerabilities and can cause major damage to the organization if it is active. Below we will see some of the attacks that can occur when XMLRPC is active:

1. DDoS via XML-RPC Pingbacks: Using pingbacks, the attacker can use a malicious script exploiting XMLRPC.php, to send large numbers of pingbacks to your website in a short time, which would overload the server, making the website unavailable.

2. Enumeration of doors: Using the same pingbacks, the attacker can send requests in XML format, addressing a specific door and according to the response of that request, information can be obtained if the door is open or closed.

How to disable WordPress XML? You can disable WordPress XML-RPC by editing the website’s .htaccess file, simply by adding the lines below to the file’s content.

# Block XMLRPC.php
<Files xmlrpc.php>
Order Allow, Deny
Deny from all
What do you think about attack maps? Comment below with your feedback.


Submit a Comment

Your email address will not be published. Required fields are marked *


Information Security Maturity Self-Assessment Survey

Learn More

•  Whitepapers
•  E-books
•  Checklists
•  Self-Assessments
•  Webcasts
•  Infographics