Frank's Random Wanderings

Turn off XML-RPC on WordPress


This site is running WordPress, which is a double-edged sword. On the positive side, it’s a stable easy-to-use system with lots of options, themes, customizations, etc. On the negative side, it’s very popular hence WordPress sites are a popular target for hackers.

I’m running the iThemes Security plugin, which I recommend, and it was reporting lots of login attempts. Even after I locked down my wp-admin page using an .htaccess password it was still seeing login attempts. How?

It turns out WordPress has another front door, called XML-RPC. This interface is used by applications to log in to WordPress and do stuff (like edit posts and so forth). If you’re using a phone or tablet app to work on your WordPress site, you’d be using XML-RPC.

In my case I’m not doing such things, so I turned off XML-RPC, and voila! No more hackers banging on the door. XML-RPC can be turned off within the iThemes Security plugin. But for even more security you can block it using .htaccess. This is how I did it:

# Block xmlrpc access to WordPress
<files xmlrpc.php>
order allow,deny
deny from all

Now this is a brute-force way of doing it, which works just fine for me. But of course it’ll break anything using XML-RPC, which in some cases may cause problems. You should test your site after any such changes, and of course google if you want to better understand what’s going on. This is also an interesting thread on the WordPress forums.

Have fun locking down your site!

Leave a Reply

Your email address will not be published. Required fields are marked *