How To Protect WordPress from XML-RPC Attacks

tinker2711

New member
Joined
Dec 18, 2019
Messages
2
Points
1
The problem if your site is receiving XML-RPC attacks is not new, but recently a lot of people are attacked in this way. Therefore, if you do not currently need to connect to the WordPress service or external applications, then disable XML-RPC to avoid the risk of attacking in this form.

Ways to limit attacks through XMLRPC

To limit the attack in this form, there is a simple way is block this file by not allow to execute it. Note you should not delete it because it is part of the WordPress source code, which can cause errors or when you update latest version it will be back hence block it is the most optimal way.

Block xmlrpc.php on .htaccess

If you are using a shared hosting or install Apache server, then insert the following into your .htaccess file in the root directory of the website.

Code:
<files xmlrpc.php>
order allow,deny
deny from all
</files>
Block xmlrpc.php on NGINX

Code:
location = /xmlrpc.php {
deny all;
access_log off;
log_not_found off;
}
Retart NGINX

Code:
service nginx restart
Hope that helped!
>>Apkafe
 

TerranceM

Member
Joined
Jul 25, 2019
Messages
21
Points
3
- Change login URL from /wp-admin/
- Deny entry to WP-Admin folder from all the IP and allow your IP.
 

Akshay_M

Member
Joined
Nov 15, 2019
Messages
33
Points
8
XML-RPC is actually a remote procedure call protocol that allows anyone to disturb your WordPress website remotely. In other words, anyone like a hacker can manage your website without logging in manually through the standard “wp-login.php” URL page. It’s extensively used by some plugins, most famously by Jetpack plugin. However, the word “XML-RPC” has a bad reputation

Method 1: Disable Pingbacks
This is a method that uses your server as an unwitting participant in an attack against another server. In this case, someone tells your site “this URL is linked to your blog!” And then your site replies with a “pingback” to that URL. But there is no proof that the URL actually did link back to you. Do this with hundreds of vulnerable WordPress sites, and you have a DDoS (Distributed Denial of Service) attacks on your hands! The most simple and easiest method to avoid your site from being used in this manner is to add the following code to your theme’s functions.php:

function stop_pings ($vectors) {
unset( $vectors['pingback.ping'] );
return $vectors;
}
add_filter( 'xmlrpc_methods', 'stop_pings');

Method 2: Prevent All Authentication Requests via XML-RPC

This second method regulates if you want to allow “XML-RPC” methods that authenticate users. For example, publishing content through e-mail. The site will receive your e-mail, allow you via XML-RPC, and then will publish it if the credentials match.

A lot of people are uncomfortable with the ability of XML-RPC to just take in random calls like this. It’s what led to hundreds or thousands of authentication attempts in the first place. Even though WordPress also has addressed this specific method of hacking, you can simply turn it off by using a shortcode in your theme’s functions.php file.

add_filter('xmlrpc_enabled','__return_false');

It is very important you should know that this is not a similar method as the first I mentioned. This shortcode only restricts the authentication methods and leaves all others untouched like pingbacks.

Method 3: Disable Access to xmlrpc.php

This method is the most extreme level of blocking that completely restricts all XML-RPC functionality. So you need to edit the “.htaccess” file at the root of your WordPress website directory. You need to add the following code in the mentioned file.
<files xmlrpc.php>
Order allow, deny
Deny from all
</files>

Now with the above denial rules in effect, trying to access xmlrpc.php will be met
 
Older Threads
Replies
0
Views
41
  • Deleted
  • Deleted by Localnode
  • Reason: Spam
Replies
0
Views
2
Replies
4
Views
148

Latest Hosting OffersNew Reviews

Sponsors

Latest Blog ArticlesMost Viewed Threads

Tag Cloud

You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.

Top