How to Disable XML-RPC in WordPress
Author: Jonathan Willian Coradi is a Red Team Services Consultant at Cipher
XML Remote Procedure Call (XML-RPC) is a remote communication interface used by WordPress enabled by default since version 3.5. It allows communication between WordPress and other blogging platforms, such as trackbacks and pingbacks.
Pingbacks and tracebacks are responsible for the notifications that appear in the comments when some other website links to your content. Currently, XML-RPC has been replaced by the REST API, making it obsolete and no longer usable for communication.
But why disable XML-RPC from WordPress? The reason for this is because it has several security vulnerabilities and can cause major damage to the organization if it is active. Below we will see some of the attacks that can occur when XMLRPC is active:
1. DDoS via XML-RPC Pingbacks: Using pingbacks, the attacker can use a malicious script exploiting XMLRPC.php, to send large numbers of pingbacks to your website in a short time, which would overload the server, making the website unavailable.
2. Enumeration of doors: Using the same pingbacks, the attacker can send requests in XML format, addressing a specific door and according to the response of that request, information can be obtained if the door is open or closed.
How to disable WordPress XML? You can disable WordPress XML-RPC by editing the website’s .htaccess file, simply by adding the lines below to the file’s content.
# Block XMLRPC.php <Files xmlrpc.php> Order Allow, Deny Deny from all </Files>