This is a wordpress tutorial on how to disable or remove XML RPC functionality to increase security of your site.

What is XMLRPC?

XML-RPC stands for XML Remote Procedure Call. It is a protocol which uses XML to encode its calls and HTTP as a transport mechanism.

Beginning in WordPress 3.5, XML-RPC is enabled by default. Additionally, the option to disable/enable XML-RPC was removed. For various reasons, site owners may wish to disable this functionality. This plugin provides an easy way to do so.

Why you should disable XML-RPC?

XML RPC has two main weaknesses:

  • Brute force attacks:
    Attackers try to login to WordPress using xmlrpc.php with as many username/password combinations as they can enter. A method within xmlrpc.php allows the attacker to use a single command (system.multicall) to guess hundreds of passwords. Daniel Cid at Sucuri described it well in October 2015: “With only 3 or 4 HTTP requests, the attackers could try thousands of passwords, bypassing security tools that are designed to look and block brute force attempts.”
  • Denial of Service Attacks via Pingback:
    Back in 2013, attackers sent Pingback requests through xmlrpc.php of approximately 2500 WordPress sites to “herd (these sites) into a voluntary botnet,” according to Gur Schatz at Incapsula. “This gives any attacker a virtually limitless set of IP addresses to Distribute a Denial of Service attack across a network of over 100 million WordPress sites, without having to compromise them.”

1. Remove XML-RPC Methods

Remove all methods from the WordPress XML-RPC API.

The plugin removes all methods from the WordPress XML-RPC API. It is an alternative to just using the xmlrpc_enabled hook, because that is only used "To disable XML-RPC methods that require authentication".

Activating this plugin will disable pingbacks and trackbacks, because these rely on XML-RPC.

Step 1: Install it

Install this plugin by navigating Plugins -> Add New within your Admin dashboard, then searching for ' Remove XML-RPC Methods ', then click Install, then activate.
Alternatively you can head over here, download the plugin and then upload and extract it to your WordPress plugins folder.

Step 2: Use it

Use the plugin as shown in the below screenshots:

wee-remove-xmlrpc-methods tutorial screenshot 1
wee-remove-xmlrpc-methods tutorial screenshot 2
wee-remove-xmlrpc-methods tutorial screenshot 3

Reference

Read more here.

Read Individually.


2. Disable XML-RPC

Disables the XML-RPC API in WordPress 3.5+, which is enabled by default.

Pretty simply, this plugin uses the built-in WordPress filter "xmlrpc_enabled" to disable the XML-RPC API on a WordPress site running 3.5 or above.

Beginning in 3.5, XML-RPC is enabled by default. Additionally, the option to disable/enable XML-RPC was removed. For various reasons, site owners may wish to disable this functionality. This plugin provides an easy way to do so.

Step 1: Install it

Install this plugin by navigating Plugins -> Add New within your Admin dashboard, then searching for ' Disable XML-RPC ', then click Install, then activate.
Alternatively you can head over here, download the plugin and then upload and extract it to your WordPress plugins folder.

Step 2: Use it

Use the plugin as shown in the below screenshots:

disable-xml-rpc tutorial screenshot 1
disable-xml-rpc tutorial screenshot 2
disable-xml-rpc tutorial screenshot 3

Reference

Read more here.

Read Individually.


3. Manage XML RPC

Enable/Disable XML-RPC for all or based on IP list, also you can control pingback and Unset X-Pingback from HTTP headers.

You can now disable XML-RPC to avoid Brute force attack for given IPs or can even enable access for some IPs. XML-RPC on WordPress is actually an API that gives developers who build mobile apps, desktop apps and other services, the ability to talk to a WordPress site. The XML-RPC API that WordPress provides gives developers, a way to write applications (for you) that can do many of the things that you can do when logged into WordPress via the web interface.

Step 1: Install it

Install this plugin by navigating Plugins -> Add New within your Admin dashboard, then searching for ' Plugin Name ', then click Install, then activate.
Alternatively you can head over here, download the plugin and then upload and extract it to your WordPress plugins folder.

Step 2: Use it

Use the plugin as shown in the below screenshots:

manage-xml-rpc tutorial screenshot 1
manage-xml-rpc tutorial screenshot 2
manage-xml-rpc tutorial screenshot 3

Reference

Read more here.

Read Individually.


4. AntiHacker

Firewall, Scanner, block user enumeration & TOR, disable Json API, xmlrpc & Pingback, Hide Version, Login error message, more...

Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan.

This plugin will allow you to Improve system security, protect login (Login Security), firewall, scan for malware, block user enumeration and TOR, disable Json WordPress Rest API, xmlrpc (xml-rpc) & Pingback and more a lot of security tools. Multilanguage ready. Included also Italian and Portuguese language files.

Step 1: Install it

Install this plugin by navigating Plugins -> Add New within your Admin dashboard, then searching for ' Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan ', then click Install, then activate.
Alternatively you can head over here, download the plugin and then upload and extract it to your WordPress plugins folder.

Step 2: Use it

Use the plugin as shown in the below screenshots:

antihacker tutorial screenshot 1
antihacker tutorial screenshot 2
antihacker tutorial screenshot 3

Reference

Read more here.

Read Individually.


5. Disable XML-RPC-API

Disable XML-RPC-API

Protect your website from xmlrpc brute-force attacks,DOS and DDOS attacks, this plugin disables the XML-RPC and trackbacks-pingbacks on your WordPress website.

Here are its features:

  • Disable access to xmlrpc.php file using .httacess file
  • Automatically change htaccess file permission to read-only (0444)
  • Disable X-pingback to minimize CPU usage
  • Disable selected methods from XML-RPC
  • Remove pingback-ping link from header
  • Disable trackbacks and pingbacks to avoid spammers and hackers
  • Rename XML-RPC slug to whatever you want
  • Black list IPs for XML-RPC
  • White list IPs for XML-RPC
  • Some options to speed-up your wordpress website
  • Disable JSON REST API
  • Hide WordPress Version
  • Disable built-in WordPress file editor
  • Disable wlw manifest
  • And some other options

Step 1: Install it

Install this plugin by navigating Plugins -> Add New within your Admin dashboard, then searching for ' Disable XML-RPC-API ', then click Install, then activate.
Alternatively you can head over here, download the plugin and then upload and extract it to your WordPress plugins folder.

  1. Upload the disable-xml-rpc directory to the /wp-content/plugins/ directory in your WordPress installation
  2. Activate the plugin through the 'Plugins' menu in WordPress
  3. XML-RPC-API is now disabled!

Step 2: Use it

Use the plugin as shown in the below screenshots:

disable-xml-rpc-api tutorial screenshot 1
disable-xml-rpc-api tutorial screenshot 2
disable-xml-rpc-api tutorial screenshot 3

Reference

Read more here.

Read Individually.


Categorized in: