04 October 2018

A Clever Way Of Blocking XMLRPC in WordPress


XMLRPC is a mechanism that allows for communication between a WordPress installation, other WP installations and third-party applications. For example, an official application from the iOS store will use XMLRPC to authenticate the user, publish new posts or manage your site. Sometimes you might receive pingbacks when someone links your blog post on their site; this feature is also supported by XMLRPC.

Why you should block XMLRPC

Unfortunately, XMLRPC features can be exploited and used to brute-force users’ passwords. This might not be an issue when users have strong passwords, but there is often no guarantee that they do. Furthermore, a carefully crafted XMLRPC request can be used to perform DDoS attacks on other websites, which is a bigger problem.

Does it have any negative impact?

Blocking XMLRPC will slightly reduce the features of your WordPress installation, but in general, it is not a big deal.

First of all, you won’t be able to log in and manage your site with third-party applications and tools. Good ol’ WordPress backend will still work however, and its developers are making it as mobile-friendly as possible.

Secondly, you won’t get pingback notifications when someone links to your blog post on theirs. I always found this feature annoying and never really used it just like, probably, most WP users.

Considering that you will be removing a bunch of tools from the hacker’s toolbox, I’d say it’s a worthy trade-off.

How to block XMLRPC

Commonly used solutions include installing additional plugins or modifying server configuration.

The former option is recommended for less experienced people, whereas the latter is more appropriate for advanced users. Also, as described below, changing server configuration gives more tools to play with.

The somewhat boring solution

The easiest solution is denying access to the xmlrpc.php file. Plain and simple.

If you use Apache, then add the following code to your .htaccess file in the WordPress root directory.

If your server of choice is Nginx, then add the following code to the server block that hosts your site.

In both cases, anyone trying to access xmlrpc.php will see a 403 error. Job’s done! Or is it?

Getting fancier

I mentioned that modifying server configuration gives some more options. These include redirecting requests to another address such as… Rick Astleys – Never Gonna Give You Up video on Youtube.

Rickrolling under Apache is just a matter of adding the following entry to the .htaccess file.

For Nginx, the code to be inserted into the server block is as follows.

Radosław Szuban
Software Developer

Radek meticulously manages the configuration of both Windows and Linux machines with a wide array of services including web and database servers, virtualization, continuous integration solutions and monitoring tools. In everyday work, he helps others with their technical difficulties and makes sure that lights on servers, switches and other network components are blinking in a happy and soothing kind of way. Avid runner and cyclist who enjoys a good book, interesting podcast, clever t-shirts and digital photography. He’s always quick to joke and jest. Unfortunately quite often his puns are rather puny.