Securing WordPress by Disabling XML-RPC Pingbacks

WordPress has a very practical performance that allows it to be manipulated through external sources using the xmlrpc.php file.In addition, XML-RPC is used by a number of plug-ins – specifically Jetpack which I individually suggest to every self organised WordPress weblog or for its several “all-in-one” performance. Lastly, the XML-RPC method is also used for pingback notices when another website links to you.

However, it also been found that it can be utilized to be part of a large DDoS attack. A cyberpunk can basically use your xmlrpc.php file to deliver several requests to a victim target URL. This was lately used in a well-known attack mentioned by the security service Sucuri which was used to bring down a large well-known website. In this article, we look at the various ways in which you can avoid your own xmlrpc.php file from being utilized in this way.

Method 1 – Simply Delete or Rename xmlrpc.php

If you’re pretty sure that you’re not going to require XML-RPC via plug-ins or any other kind of third-party interaction with your website, you can get rid of the file completly either by deleting or renaming it. It’s located in the root directory of your WordPress installation.

However, this is only a temporary solution as future updates to the core WordPress files will simply restore it. Given that you can never tell whether or not a future plug-in or performance on your website will require xmlrpc.php, I can’t really recommend it as the perfect solution. It’s not lasting and it’s too drastic.

Method 2 – Disallow Using .htaccess

Access your WordPress .htaccess file and insert the following code:

<files xmlrpc.php>
Order allow,deny
Deny from all

This will simply block all access to xmlrpc.php. Anyone who tries to use it will receive a 403 forbidden error message. The benefit of this solution over the previous one is that subsequent WordPress updates will not modify it. Moreover, there’s a ctangible history that you have denied access to xmlrpc.php. As you might want to reverse the changes when you’re troubleshooting some problem.

However, it will still break all XML-RPC functionality on your website including the Jetpack plug-in.

Method 3 – Disable via functions.php

This is similar to the second solution except that you make the change in functions.php instead of .htaccess. Open up your themes functions.php and paste the following before the closing ?> PHP tag:


it’s a little bit more ineffective than the previous solution because it’s being handeled at the application rather than the web server level. On the contrary since functions.php is where you placed most of your custom code anyway, you’re more likely to be reminded of what you’ve done. And this still doesn’t deal with the issue of losing all XML-RPC services.

Method 4 – Disable only Pingbacks

This is the most convenient solution to the problem. Instead of removing all XML-RPC performance, we only disable the pingback service which causes all of the security issues in the first place. As above, insert the following into your functions.php file:

function disable_xmlrpc_ping ($methods) {
unset( $methods[''] );
return $methods;
add_filter( 'xmlrpc_methods', 'disable_xmlrpc_ping');

This rule eliminates the pingback parameter from the $methods argument passed to our custom function. It will maintain your site cannot be used as part of a bigger botnet playing a DDoS strike.

If you’re interested in maintaining XML-RPC performance on your WordPress weblog, I suggest these all methods. If you want to disregard XML-RPC entirely, you have to choose one of the others based upon on whether you want to prioritized performance or good programming methods.