Keep your site safe from XML-RPC WordPress attacks! Learn how they happen and how to prevent them with insights for admins regarding the XML-RPC protocol.
Stopping an XML-RPC WordPress Attack
XML-RPC attacks are among the most common attacks on various WordPress websites. Here you’ll learn what XML-RPC protocol is, what it is used for, what these attacks are, how they happen and how to prevent them.
The Nexcess Knowledge Baseprovides additional information about WordPress sites and our Managed WordPress and Managed WooCommerce platforms.
What is XML-RPC?
XML-RPC is a remote procedure call protocol that uses HTTP as a transport mechanism and encodes its calls using XML. XML is a language that defines rules for encoding documents and is both human-readable and machine-readable. RPC is a way for a call from one location (device) to trigger the execution of a routine or a function in another location (server). It was created in 1998 and allowed for sending and receiving of encoded, potentially complex, or nested data structures via HTTP requests.
XML-RPC and Its Role within WordPress Installations
XML-RPC is one of the core WordPress features which allows remote access to otherwise inaccessible sections of the WordPress dashboard. For example, if you wanted to post to your site from a mobile device since your computer wasn’t nearby, you could do that using various third-party applications (Windows Live Writer was one of them). XML-RPC is a protocol that would allow the connection between a remote third-party application and the WordPress installed on your website. There was an option to disable XML-RPC in earlier WordPress versions, but with the release of WordPress mobile applications, this option’s been enabled by default (since WordPress version 3.5). There isn’t a built-in functionality that would allow you to disable XML-RPC.
XML-RPC functionality is implemented through the xmlrpc.php file, which can be found in the document root directory of any WordPress site. Even though it’s a default feature, the file's functionality and size have significantly decreased, and it doesn’t play as large of a role as it did earlier.
Problematic Nature of XML-RPC in WordPress
In the past, some RPCs have been exploited. One of the examples would be a massive Microsoft virus known as MSBlast or W32.Blaster.Worm which caused significant chaos on Windows computers, from August 2003. Nowadays, it presents a security risk for XML-RPC attacks on WordPress sites. Randomized passwords and usernames that aren’t the default “admin” user are still a good security practice, but they will not do much good against XML-RPC attacks. Namely, there are two main weaknesses that have been exploited in the past.
Malicious visitors would use the xmlrpc.php file for brute force attacks that might allow them access to your site. A single command can be effectively used to test hundreds of different passwords. Usually, the primary user that would be exploited is the administrator user with the username “admin”. The xmlrpc.php file allows hackers to bypass the usual security measures to prevent brute force attacks towards the main wp-login.php file. For other ways to avoid compromises on your site, see How can I prevent my site from being compromised?
The second weakness was bringing sites down through a DDoS attack. The pingback WordPress feature allows hackers to simultaneously send pingbacks to thousands of sites. This weakness is a feature of xmlrpc.php that gives hackers an endless supply of different IP addresses to distribute the DDoS attack over.
How to Check if XML-RPC is Enabled on Your Site
If the XML-RPC is enabled, you’ll be able to run plugins like Jetpack or apps that allow remote access to your WordPress site’s backend, like mobile apps. If you’re not using any of those plugins or apps, it’s still possible XML-RPC is enabled on your website, and as such, presents a vulnerability. There are a couple of ways to check this, but these are two of the easiest ways to check:
You can visit a XML-RPC validating website:
Once there, you can paste in your website’s URL, such as https://example.com/xmlrpc.com.
Do not enter any credentials.
If you’ve got the message “Congratulations! Your site passed the first check.” it means XML-RPC is enabled on your site. It is active, visible, working, and a possible vulnerability on your site.
- Once there, you can paste in your website’s URL, such as https://example.com/xmlrpc.com.
You can go to the xmlrpc.php page on your website. If you see the “XML-RPC server accepts POST requests only.” message, XML-RPC is enabled on your website:
How to Stop XML-RPC attacks
The easiest and quickest way to stop XML-RPC attacks on your website is to entirely block access to the xmlrpc.php file. That can be achieved using various plugins or adding a block directly to the site’s htaccess file. It can also be achieved by deleting the file itself, but any future core update would recreate the file, and you’d need to delete it over and over again. More articles about security features and possible modifications can be found here. Since WordPress is a very popular content management system, it is necessary to take additional precautions regarding its security.
There are plenty of different plugins available that should help with this. Still, before installing any, we’d suggest checking if it’s compatible with the version of WordPress your website is running.
Should you wish to stop XML-RPC attacks by making changes to the .htaccess file directly, you’ll need to log in via SSH or FTP, locate the .htaccess file and paste the following at the top of it:
In case your site is using Jetpack, you’ll need to whitelist its IP addresses so the plugin can function as intended:
If you’re unsure how to proceed regarding these instructions, our support team will be happy to assist you!
Useful WordPress Links for Developers & Admins
Read more about the Fully Managed WordPress Hosting and its benefits for your business.
Build Better Websites with Fully Managed WordPress Hosting
It’s hosting optimized for WordPress. That means a faster, more secure and scalable website. Smart monitoring tools are built-in to help you keep it that way.
It’s why WordPress Users Trust Nexcess Hosting.
We also have a variety of Nexcess support articles about WordPress, including how to get your site going with a number of different configuration options. These resources include a great article on setting this up for Migrating to Nexcess with managed WordPress and managed WooCommerce hosting.
If you need any assistance with the above-mentioned, don't hesitate to reach out. For 24-hour assistance any day of the year, Nexcess customers can contact our support team by email or through your Client Portal.
Useful YouTube > Nexcess Channel Links
Resources for More Information
Need more help? With regards to security topics, The Security, PCI DSS, SSL, SSH, and WordPress sections within the Nexcess Knowledge Base are important resources. The Applications, WooCommerce, and Other Best Practices sections contain valuable insights for those seeking additional knowledge about applications. Or, check out our related articles below.
New Customers: Fully Managed Hosting Solutions
Not a Nexcess customer yet? Check out our fully managed hosting solutions. The option to chat with an expert is also available.