DIsabling xmlrpc.php for safety reasons

Important note: users who use remote blogging, an application which calls xmlrpc.php (e.g. an Android app) or use pingback comments, etc should not modify the xmlrpc. For other users, not modifying the xmlrpc.php poses an uneccessary risk as it can allow your site to be attacked.

WordPress has a built in functionality called Pingback, which allows anyone to initiate a request from WordPress to an arbitrary site. The functionality should normally be used to generate cross references between blogs, but it can also be used for a single machine to originate millions of requests from multiple locations. This in turns allow the potential attacker to perform a DDOS attack on a given site.

For solving this issue, we recommend any of the two methods:

  1. Modifying the htaccess file
  2. Installing the dedicated Wordpress plugin

Modifying htaccess file

The xmlrpc.php can be disabled by modifiying the htaccess file. Locate your htaccess file and enter the following lines:

order deny,allow
deny from all
allow from 123.123.123.123 

Where the IP address is the one you wish to allow access from.

Installing a plugin

The other way to disable the xmlrpc.pho file is to use the Disable XML-RPC plugin.  This plugin completely disables WordPress's XMLRPC functions, and doesn't alter or rename any core files. You can enable XMLRPC again by simply disabling this plugin.

Download Disable XML-RPC


Was this article helpful?

mood_bad Dislike 0
mood Like 0
visibility Views: 4493