About XML-RPC

XML-RPC is a protocol for remote procedure calls which uses XML for the data exchange. In XML-RPC the client that wants to make a call to a remote method creates the input parameters in the form of XML and sends it via an HTTP request to a remote server implementing the XML-RPC protocol.

 Understanding XML-RPC in WordPress

WordPress is a complete blogging platform. It is made highly customizable and easy to develope the website. Using WordPress XML-RPC can create WordPress blogging clients, some other software which does some batch tasks like creating multiple posts from a file, etc. The XML-RPC system can be extended by the Word Press plugins to modify its behaviour. The XML-RPC functionality is turned on by default since WP 3.5. XML-RPC turned on by default – especially with the mobile devices and third-party desktop apps that use it to communicate with WordPress.

The issue with XMLRPC is that it can cause CPU and memory exhaustion and the site’s database to reach the maximum number of open connections. That will cause the vulnerable site (and server) to go down for a period of time, hence affecting Availability of your website.

There are four ways that WP‘s XML-RPC API  could be abused by an attacker:

Intel gathering — attacker may probe for specific ports in the target’s internal network

Port scanning — attacker may port-scan hosts in the internal network

DoS attacks — attacker may pingback via large number of sites for DoS attack

Router hacking — attacker may reconfigure an internal router on the network

 Possible workarounds

1. If you aren’t using the XML-RPC functionality for anything, to protect against any vulnerabilities, add below lines .htaccess:

# protect xmlrpc
<IfModule mod_alias.c>
RedirectMatch 403 /xmlrpc.php
</IfModule>

To test that it’s working, try accessing the xmlrpc.php file in your browser. If it’s working, you’ll get a “403 – Forbidden message”.

2. To redirect requests for xmlrpc.php to a custom page, modify the RedirectMatch like so:

# protect xmlrpc

Redirect 301 /xmlrpc.php http://example.com/custom-page.php

3. Denying all access to xmlrpc.php:

# protect xmlrpc
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>

4. Allow access to xmlrpc.php for specific IP addresses only.

# protect xmlrpc
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
Allow from <IP>
Allow from <IP>
</Files>

You can also add following code to your wp_config.php after the line require_once(ABSPATH . ‘wp-settings.php’); if you want to disable XML-RPC for your site.

add_filter('xmlrpc_enabled', '__return_false');