While Monitoring my server i noticed bulk traffic to xmlrpc.php files in my hosted websites. As this is a shared server, so there are over 40 wordpress installations in it. And that day i have noticed a continuous attack on 8 websites, a single request on xmlrpc.php took average 200MB to 250MB of memory and these requests were continuous 10 to 20 per second on each website. Which results in system instability and caused my server out of memory then eventually crashed.
Now a days hackers started using xmlrpc.php instead of wp-login.php to execute their brute force attacks and the problem is, since wordpress version 3.5 we can’t disable the use of xmlrpc.php at least not from wordpress settings. But there are few ways, lets discuss them one by one.
1. Deleting xmlrpc.php
This is not recommended as after every wordpress update this file will be replaced so its not the smartest way to deal with.
2. Plugins
There are few plugins that can do that for you. I have found some best and most used plugins for this purpose. Disable XML-RPC and XML-RPC Pingback. Both Plugins are really basic but should be able to help you protect your blog / website from attacks.
3. Adding Code to Theme’s Functions.php File
That’s the same way of security that above plugins will provide. So you can go with this way too. All you need to do is, just edit your Theme’s Functions.php file and these code lines in it.
function remove_x_pingback($headers) {
unset($headers[‘X-Pingback’]);
return $headers;
}
add_filter(‘wp_headers’, ‘remove_x_pingback’);
add_filter(‘xmlrpc_enabled’, ‘__return_false’);
4. Block by .htaccess
You can block access to xmlrpc.php by adding a simple code in your .htaccess. Just edit .htaccess file and put following code in it, it will block access and user will get 403 Forbidden error.
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>
5. Blocking access in nginx
If you are using nginx then use following code in nginx configuration:
server {
location = /xmlrpc.php {
deny all;
}
}
6. Block on entire server
If you have shared server with multiple WordPress installations, any of above solution will take time to implement. So the best thing to do is to block access to xmlrpc.php file on Apache level, simply by adding this to httpd.conf file:
<FilesMatch “^(xmlrpc\.php)”>
Order Deny,Allow
Deny from all
</FilesMatch>
It will be located at (/usr/local/apache/conf) in centos/cloudlinux servers.
If you don’t use XML-RPC than you can safely disable it using any of the methods above (except the first one, of-course) and protect your blog against xmlrpc attacks.
