Managing obsolescence and security: an example in WordPress

The xmlrpc.php file is a historical component of WordPress. Although it was essential a few years ago, its usefulness has greatly diminished as the platform has evolved. This file is now often perceived as a back door for cyberattacks, meaning that it is crucial to manage it to ensure that your website stays secure.

However, this is not an isolated case – many other tools or features can become obsolete or risky over time, so it is important to stay alert to identify and address any potential vulnerabilities.

In this article, we will briefly describe the historical role of xmlrpc.php, examine the risks it poses, and highlight solutions for disabling or securing it. We’ll also emphasise the importance of embracing modern alternatives.

What is xmlrpc.php?

The xmlrpc.php file is an interface for WordPress to communicate with other services or applications via the  XML-RPC protocol. Initially, it facilitated features such as:

• Publishing content via third-party tools (e.g. desktop software, automated scripts)
• Mobile website management, such as the old WordPress app for smartphones

Since the creation of the more modern and secure WordPress REST API, the xmlrpc.php file has lost its usefulness. For most people who manage a WordPress website, it is now even considered obsolete.

Why is xmlrpc.php problematic?

This file now has vulnerabilities that make it a prime target for cyberattacks.

• Brute-force attacks: individuals can exploit the file to attempt an unlimited number of connections, using a combination of usernames and passwords.
• Amplification of DDoS attacks: certain features of xmlrpc.php allow multiple requests to be sent in one go, thus increasing the load on the server.
• Exploitation of software vulnerabilities: if your WordPress or plugins are not up to date, this file can be used to run malicious commands.

How do I disable xmlrpc.php?

Fortunately, disabling this file is simple and does not affect most WordPress websites. Here are some different methods, depending on your needs.

1. Modify the .htaccess file (preferred solution)

If you have access to files on your site, you can prevent queries to xmlrpc.php by adding the following lines to the .htaccess file (located at the root of your site):

<Files xmlrpc.php> Order Allow,Deny Deny from all </Files>

Advantage: direct and light-handed method.

Disadvantage: requires some care, as an error in the .htaccess file can affect the entire website.

• Via a plugin

Looking for a turnkey solution? Extensions like Disable XML-RPC-API allow you to quickly disable xmlrpc.php without touching the code.

Advantage: easy and time-saving.

Disadvantage: reliance on an additional plugin.

• Configure your server

For administrators with a dedicated hosting plan or a VPS, it is possible to block access to xmlrpc.php at the server level. For example, on Apache:

<FilesMatch “xmlrpc\.php$”>     Require all denied </FilesMatch>

Or on Nginx:

location = /xmlrpc.php {    deny all; }

Advantage: ideal solution for high-load environments.

Disadvantage: requires technical knowledge.

What are the alternatives to xmlrpc.php?

There are several simple solutions you can consider if you need the functionality offered by xmlrpc.php.

1. Use the modern WordPress mobile app

The official WordPress application for iOS and Android now uses the REST API instead of xmlrpc.php. Make sure your site is configured correctly to allow this transition. Most recent web hosting plans, such as those offered by OVHcloud, support this feature by default.

• Adopt tools compatible with the REST API

Many remote publishing solutions have been updated to use the REST API, which is more secure and better suited to current needs. Check if your favourite tools offer this compatibility, and update them if necessary.

• Secure xmlrpc.php in case you specifically need it (as a last resort)

If you really can’t do without xmlrpc.php, it’s crucial to limit its exposure to threats. Here are some best practices:

• restrict access to certain IP addresses via .htaccess or server configuration
• use a security plugin to limit XML-RPC requests (e.g. the number of connections in a given time)
• implement strong authentication, such as two-factor authentication, to enhance connection security

This solution is not recommended, as it still leaves an accessible attack surface. It should be reserved for cases where the use of xmlrpc.php is still essential. Also keep in mind that these adjustments are not a substitute for migrating to modern tools like the REST API.

Protect your WordPress website while staying up to date

Hopefully, you are now more familiar with the historical role of xmlrpc.php and its associated security issues. Keep in mind that keeping your website safe requires constant vigilance – so check for updates to WordPress and its plugins, and read their release notes carefully for any changes that could affect the security of your environment.

Need some extra help? Join our community on Discord, or check out our WordPress documentation to go even further in securing and optimising your site.