601
WordPress XML-RPC: Maximum flexibility and seamless integration. However, this also causes increased vulnerability to security vulnerabilities.
xmlrpc.php – Simply explained
XML-RPC is the abbreviation for “Extensible Markup Language Remote Procedure Call”.
- It is a protocol specification that enables the transmission of remote requests in computer networks.
- Often used by external applications or services to interact with a WordPress server without having to access the WordPress admin interface directly.
- Using XML-RPC requires authentication, usually through the use of a username and password or by using a token.
- In older versions of WordPress, this interface was disabled.
- Since WordPress version 3.5, XML-RPC is enabled by default to allow the mobile app to communicate with the WordPress installation.
xmlrpc.php – Security
XML-RPC can be both useful and potentially risky. It enables automation of tasks and integrations, but it can also open up security vulnerabilities.
- With the introduction of the REST API in WordPress core, XML-RPC is no longer required for communication purposes.
- For security reasons, it is therefore recommended to disable XML-RPC.
- The range of systems that the REST API can interact with is also much wider than with XML-RPC.
xmlrpc.php – Disable
In view of the replacement of XML-RPC by the REST API, it is recommended to disable xmlrpc.php on your website.
- To disable the interface in code, add the following code to the .htaccess file:
- Order Allow,Deny ().
- Deny from allAlternatively, you can minimise the security risk with the WordPress pluginDisable XML-RPC Pingback.
- In some cases, your hosting provider may also disable XML-RPC.
