XML-RPC is a remote remote procedure call protocol. XML-RPC allows two applications running on different operating systems and in different environments to communicate with each other via the Web (over HTTP ). The information describing the implementation methods is encoded in XML.
The XML-RPC protocol is a precursor to the SOAP protocol. Although the SOAP protocol is newer and supports more features, XML-RPC remains in use and is preferred over SOAP, precisely because of its simplicity and ease of use.
Many web applications use XML-RPC, such as WordPress , Drupal and others.
What is XML-RPC used for in WordPress?
In WordPress, XML-RPC is used for the Pingback function, for remote publishing of articles and other functionalities that require specific communication with an external application.
The Pingback feature provides the ability to notify the author of another blog that you have placed a link to his article on your site (and vice versa).
Weblog program installed locally on the computer can be used for remote publishing of articles. Articles can be created even when there is no internet connection. Once the internet connection is activated, the application sends the already created articles to the WordPress site.
Each WordPress installation contains the xmlrpc.php file located in the root directory of the system.
The XML-RPC functionalities are used through this file. Through xmlrpc.php WordPress can receive and send XML-RPC signals and communicate with other external applications.
How to disable XML-RPC in WordPress
In reality xmlrpc.php poses a security risk. It creates an additional access point to your site, which could leave it vulnerable to external attacks. Every time you authenticate XML-RPC, you need to supply your username and password which isn’t great for security purposes.
For example, in order to prevent brute force attacks, you can limit login attempts on your WordPress site. However, with XML-RPC enabled, that limit does not exist. There’s no capping on login attempts, which means it’s only a matter of time before a determined cybercriminal gains access.
By disabling XML-RPC, you are closing a potential area of entry for hackers. Of course, without XML-RPC, remote access isn’t possible. You would need to log in directly to WordPress for publishing and updating purposes. Therefore, if mobile apps and remote software are the methods you rely on for site updates, turning this feature off may not be a practical option.
Disabling XML-RPC using .htaccess
To use .htaccess to disable the xmlrpc.php function in WordPress you need to go to the root folder of your WordPress website and find and open the .htaccess file and add the following code:
# Block WordPress xmlrpc.php requests
deny from all
allow from 18.104.22.168
If there’s a specific IP address you want to allow xmlrpc.php access for, you can replace 22.214.171.124 in the snippet above. Otherwise, you can remove this line entirely.
Note: If your website has a .htaccess file but you can’t see it, visit settings and click on ‘show hidden files.’
Now, remote use of xmlrpc.php will be denied to everyone except the specific users you choose.