Hardening Your WordPress Website: What is the xmlrpc.php file used for? (Part 1 of 2)

Welcome to our 2-part series on the infamous WordPress xmlrpc.php file! In this series, we cover a brief history of this file, why it exists, and why you should very likely disable it on your WordPress website.

When it comes to WordPress security, one best practice is to secure your site by locking down or removing any plugins, themes, features, or files that are not in use. This is because the more parts your website has, the more opportunities you are providing to hackers to break into your site!

A good analogy is having a house with a lot of doors and windows. Having more entries may be handy sometimes, but the more doors, the more locks you need to have, and the higher the risk that someone may be able to break in.

If you’re currently managing your own WordPress site, you may have heard of XML-RPC, or the ‘xmlrpc.php’ file. This is a default file that’s included in WordPress, and is very commonly targeted by hackers. It can be a bit of a weak point for many sites, especially considering the fact that very, very few WordPress websites are actually using it. As such, it may well be worth disabling this file if it’s not in use on your site.

In this article, we’ll cover what xmlrpc.php is, why it was first introduced, and the potential security benefits of disabling it on your site. Read on below to find out more!

What is xmlrpc.php?

In order to determine whether or not it’s worthwhile to disable xmlrpc.php on your site, we’ll start by going over what exactly it is!

The xmlrpc.php file is simply a default, core WordPress file. You can find it in your base WordPress directory (usually public_html) with all of your other files such as wp-config.php. As of the time of writing, this file is only around 3.1KB in size and 104 lines. In the past, this file was much larger – however, with newer versions, it was made more efficient and scaled-down as it became responsible for fewer and fewer WordPress functions.

The XML part of the name stands for Extensible Markup Language, which in this case is a language that’s used to encode data, which is then sent via the HTTP protocol. The RPC in the name stands for “Remote Procedure Call”, which, as the name suggests, is used to call a procedure (like performing a task) remotely on another computer. If you put these together you have XML-RPC, which is a protocol that’s used to send and receive information between computer systems or servers. If you’re familiar with API’s, XML-RPC is an early and basic API implementation that was first created in 1998.

What is it used for in WordPress?

These days, not so much! xmlrpc.php was first added in the very early days of WordPress to enable users or systems to make remote modifications to WordPress, as no other system existed to accomplish that task at the time.

Without it, WordPress would have been isolated to its own environment without being able to be modified from external systems. The biggest use for it was the WordPress smartphone application, which allowed users to make or edit posts, moderate comments, and generally interacts with their site from their phone’s WordPress app.

Some plugins do still use XML-RPC, the most notable being the Jetpack plugin/integration. However, the majority of modern plugins that have the need to access or manage content within your WordPress site have moved to the much newer REST API (including the WordPress smartphone app!). The REST API was introduced in WordPress 4.4, which effectively replaced any need for XML-RPC.

In short, if you’re not using the Jetpack plugin, then you can likely proceed with disabling xmlrpc.php on your WordPress site, and thus, tighten up your security. The vast majority of sites have no need for xmlrpc.php access any longer. Some hosts will even block its access by default at a server configuration level, due to the associated security risks.

Why is it good practice to disable it?

There are two main security risks that are present when xmlrpc.php is enabled.

  1. Brute-force attacks. A brute-force attack is when a malicious party uses a bot to send thousands of repeat attempts by way of multiple usernames and password combinations to gain access to an account, hoping to hit the right combination. The xmlrpc.php file allows authentication attempts, and unlike standard attempts to login to your WordPress admin, there is no limit on the amount of attempts that can be tried. This means that an attacker can potentially try hundreds of password attempts within seconds, without becoming blocked. In fact, if you take a look through your site’s access logs, it’s likely that you will see a lot of strange IP addresses trying to access your xmlrpc.php file. This is usually indicative of a brute-force attempt.
  1. The other security risk comes by way of a DDoS attack. This particular DDoS attack exploits WordPress’ Trackbacks and Pingbacks feature. As taken from the WordPress.org definition: Trackbacks and pingbacks are methods for alerting blogs that you have linked to them. The difference between them is:
  • Trackbacks – must be created manually, and send an excerpt of the content.
  • Pingbacks – are automated and don’t send any content.

Although not very common, malicious parties can use multiple WordPress sites to generate hundreds of trackbacks and pingbacks to a single WordPress site, targeting the victim’s xmlrpc.php file. This floods the WordPress site’s server and either slow it down dramatically or makes it completely inaccessible.

Now that you’ve got the what and why, you may want to go ahead and disable the xmlrpc.php file from your WordPress website. Be sure to check out part 2, where we cover all of the various methods of doing this!

As always, if you have any questions about this post or our shared hostingVPSreseller or dedicated server plans, simply call us on 1300 MY HOST (694 678) during business hours, or submit a ticket through our Support Portal and one of the crew will be in touch!

Get tips & insights
direct to your inbox.

Sign up to our newsletter to get the most from your website hosting with insider tips, tools and guides plus 10% off your first invoice!

Have more questions
on Hosting?

Simply call us on 1300 MY HOST (694 678) during business hours, or submit a ticket through OnePanel and one of the crew will be in touch!

Get in touch
Top