Hackers are using the XML-RPC function in WordPress for DDoS botnet attacks as well as Brute Force attacks. Find out what XML-RPC is, where it’s used on your site, and how to secure your site against this vulnerability. Plus, discover how XML-RPC may be used in the future and what you need to avoid.
UPDATE: This post was updated on 10/9/15 with the latest news on XML-RPC threats.
UPDATE: Read Why I Yanked VaultPress off My Recommended List due to it being bundled with JetPack as of 12/9/16 and the XML-RPC issue involved.
What is XML-RPC?
The XML-RPC function was originally designed to be used an intranet notification system for WordPress users. But few use it anymore due to spam.
Now it is being used primarily as a way to remote post to WordPress from mobile.
Some plugins and third-party applications use XML-RPC to deliver content from their servers to your site.
Escalation of Attacks
In March 2014, Sucuri reported 162,000 sites being used in DDoS attacks without the site owner’s knowledge via security holes in XML-RPC.
By July 2014 the bot attack vectors had changed. The XML-RPC vulnerability escalated into active hacking via Brute Force attacks.
Why You Need to Turn XML-RPC Fully Off
You have two options.
You can turn XML-RPC half way off and continue to make use of some of its functions.
Or, you can turn XML-RPC fully off and slam the door on attacks.
It’s your choice.
I shut XML-RPC down fully on my sites and those I manage for VIP client over a year ago.
I strongly suggest you turn it completely off too. Info on how to do that is below, as well as findings from testing other plugin recommendations.
Check Your Site Right Now
Sucuri Test Tool will tell you if your site has been listed in their logs of IPs that are being used in the DDoS attacks.
If it comes back clean, great!
But that only means your site is not listed in their logs. Be sure to take the steps below to keep your site from getting on that list!
Disable XML-RPC
By default, this function is turned on in WordPress.
You can turn it off in three ways.
I recommend way number 3.
1. Input Code to Your Theme
UPDATE: There’s a better way. I don’t recommend adding this code to your theme. But it is here for reference if you insist on hard coding it.
This post by Sucuri has instructions for adding code to the functions.php file of your theme. (The code is about 3/4 down the post.)
The caveats – you have to remember to add the code again if you change themes, or perhaps if your theme is updated (if you’re not using a child theme). And, it disables XML-RPC completely, which may disturb third-party applications that use it. (See below for more on those.)
2. Install a Plugin to Turn it Half Way Off
UPDATE: I’ve tested the plugin recommended below on multiple sites and there have been zero conflicts with popular plugins for podcasts (Blurry PowerPress and SoundCloud tested), or with gallery plugins. But, it still only turns XML-RPC half way off.
The nice folks at FooPlugins have created a plugin that removes the pingback function while allowing most all third-party apps to still use the rest of the XML-RPC function that it needs. It’s called the Remove XMLRPC Pingback Ping You’ll find it in the WordPress plugin repository.
(Thank you to my colleague +Kim Dastleberry for her post about the above plugin and to +Ana Hoffman for alerting me to it!)
The caveat – this plugin, and others like it listed below, may cause conflicts with other third-party apps or even other plugins. (See list below.)
NOTE: Be sure that you check your site to ensure that you do not already have any other plugin serving this function!
Below are a few of the other plugins that I found in the repository. NOTE: I have not tested any of these, so use at your own risk.
- Prevent XMLRPC
- Disable XML-RPC
- Disable XML RPC Fully
- Secure XML-RPC
This is only a partial list. There are several more, as well as other plugins that have a similar block for XML-RPC.
Third Party Applications and Plugins that may use XML-RPC
There are several popular apps and plugins that make use of some part of the XML-RPC function. They are:
- WordPress Mobile App
- JetPack (just some parts of it)
- LibSyn (for podcasts)
- BuddyPress
- Windows Live Writer
- Various photo gallery plugins
NOTE: How disabling the XML-RPC function affects some of the apps and plugins above may depend entirely on how you have them configured and/or which features you are using.
The Remove XMLRPC Pingback Ping from FooPlugins is the only one that I have verified to still allow JetPack and the WordPress Mobile App to function.
3. Recommended Turn XML-RPC all the way off
There are 3 steps you need to take to turn XML-RPC all the way off.
Step 1. There is a filter that can be added to the bottom of the wp-config.php file that will turn XML-RPC completely off. I’ve extensively tested it on multiple sites and have experienced zero issues with other plugin functionality including:
- Blubrry PowerPress and SoundCloud podcast plugins
- Popular social share button plugins with counters displayed
- Popular post and related post plugins that actively create internal logs
- Tracking plugins for analytics and internal redirects and the logs they create
- Gallery plugins that pull from external sources
- Social media plugins that pull from external sources
NOTE: DO NOT go poking around in your wp-config file unless you know what you’re doing. Me and every other site geek would prefer that you hire us to do it right the first time. And we’ll all charge you WAY less than cleaning up any mess you may have made of your site. You’ll also want to test all of the above potential conflicts, and any other plugin/widget/function that may be using XML-RPC on your site BEFORE you make this change. And then retest afterward.
The code to add below the last ABSPATH statement is:
add_filter('xmlrpc_enabled', '__return_false');
Step 2. Block XML-RPC in the .htaccess file
Input the following code near the top of your .htaccess file:
# START XML RPC BLOCKING
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>
# FINISH XML RPC BLOCKING
Step 3. Turn off trackbacks and pingbacks
From your WordPress Dashboard, go to Settings > Discussion.
In the top section you will see the following checkboxes. Turn them both off.
Done. The above 3 steps will turn XML-RPC completely off.
You will not be able to post remotely to WordPress, or use the 3rd party apps and plugins that require it. Nor will you receive notifications on your site (through the pingbacks and trackbacks intra-notification system) when another WordPress site that has those turned on mentions (links) to your site.
Small price to pay for security.
WordPress REST API and XML-RPC
I’m very excited about all of the dazzling features that the WordPress REST API promises to bring. It will make websites far more interactive.
However, many of those features will depend on XML-RPC being active. That’s a security problem.
The WordPress dev team has announced that they are considering adding the REST API to the WordPress core in two stages. Those will be in versions 4.4 and 4.5, expected in late 2015 and early 2016, respectively.
I’ll be keeping close watch on this topic.
Need Help?
If you do find a conflict when you disable XML-RPC, your best resource for help is the developer or support forum of the plugin or app that is no longer working.
You’re also welcome to report any conflicts you find here. Maybe other folks are having the same issue and would appreciate what you found to fix it.
We’ll all get through this together!
Want to See Your Site Security and Performance Situation?
I do full Site Audits so you can get a real picture of what’s going on behind the scenes and fix it without guessing
