XML-RPC is a remote call procedure through which WordPress allows you to publish using clients such as Windows Live Writer.
It is an active procedure by default on every WordPress installation, but there are three factors to take into consideration:
- it is rarely actually used.
Do you use Windows Live Writer to update your WordPress blog? No? So why leave this function active if it is useless? - There are some great alternatives
- in the past it has been used for brute-force attacks.
Even if the code has been improved in the meantime and the chances of success of a brute-force attack via XML-RPC have greatly reduced, it still remains a privileged target; which means that if a BOT targets your blog, it can make tens of thousands of XML-RPC calls trying to hack it.
Even if unsuccessful, these calls will consume resources (RAM, CPU), and your service will suffer.
Given this, the best solution is to completely disable the XML-RPC service from WordPress , and the most effective way to do so is through the .htaccess file.
How
to disable simply add the following lines to the .htaccess file:
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from123.123.123.123
</Files>
Note:
- by appropriately using the "allow" function, we can make sure that calls are only possible from certain IPs
- the change is not irreversible: by removing the above lines, XML-RPC will become active again
