{"id":5807,"date":"2017-06-19T08:11:54","date_gmt":"2017-06-19T08:11:54","guid":{"rendered":"https:\/\/cpanelplesk.com\/wp62\/?p=5807"},"modified":"2021-02-01T06:25:12","modified_gmt":"2021-02-01T06:25:12","slug":"securing-wordpress-disabling-xml-rpc-pingbacks","status":"publish","type":"post","link":"https:\/\/cpanelplesk.com\/wp62\/securing-wordpress-disabling-xml-rpc-pingbacks\/","title":{"rendered":"Securing WordPress by Disabling XML-RPC Pingbacks"},"content":{"rendered":"

WordPress has a very practical performance that allows it to be manipulated through external sources using the xmlrpc.php file.In addition, XML-RPC is used by a number of plug-ins \u2013 specifically Jetpack which I individually suggest to every self organised WordPress<\/a> weblog or for its several \u201call-in-one\u201d performance. Lastly, the XML-RPC method is also used for pingback notices when another website links to you.<\/span><\/p>\n

However, it also been found that it can be utilized to be part of a large DDoS attack<\/a>. A cyberpunk can basically use your xmlrpc.php file to deliver several requests to a victim target URL. This was lately used in a well-known attack mentioned by the security service Sucuri which was used to bring down a large well-known website. In this article, we look at the various ways in which you can avoid your own xmlrpc.php file from being utilized in this way.<\/span><\/p>\n

Method 1 \u2013 Simply Delete or Rename xmlrpc.php<\/span><\/h3>\n

If you\u2019re pretty sure that you\u2019re not going to require XML-RPC via plug-ins or any other kind of third-party interaction with your website, you can get rid of the file completly either by deleting or renaming it. It\u2019s located in the root directory of your WordPress installation.<\/a><\/span><\/p>\n

However, this is only a temporary solution as future updates to the core WordPress files will simply restore it. Given that you can never tell whether or not a future plug-in or performance on your website will require xmlrpc.php, I can\u2019t really recommend it as the perfect solution. It\u2019s not lasting and it\u2019s too drastic.<\/span><\/p>\n

Method 2 \u2013 Disallow Using .htaccess<\/span><\/h3>\n

Access your WordPress .htaccess<\/a> file and insert the following code:<\/span><\/p>\n

<\/div>\n
\n
<files xmlrpc.php>\r\nOrder allow,deny\r\nDeny from all\r\n<\/files><\/pre>\n<\/div>\n
<\/div>\n
This will simply block all access to xmlrpc.php. Anyone who tries to use it will receive a 403 forbidden error message<\/a>. The benefit of this solution over the previous one is that subsequent WordPress updates will not modify it. Moreover, there\u2019s a ctangible history that you have denied access to xmlrpc.php. As you might want to reverse the changes when you\u2019re troubleshooting some problem.<\/span><\/p>\n
However, it will still break all XML-RPC functionality on your website including the Jetpack plug-in.<\/span><\/p>\n
Method 3 \u2013 Disable via functions.php<\/span><\/h3>\n
This is similar to the second solution except that you make the change in functions.php instead of .htaccess<\/a>. Open up your themes functions.php and paste the following before the closing ?> PHP tag:<\/span><\/p>\n
<\/div>\n
\n
add_filter('xmlrpc_enabled','__return_false');<\/pre>\n<\/div>\n
<\/div>\n
it\u2019s a little bit more ineffective than the previous solution because it\u2019s being handeled at the application rather than the web server level. On the contrary since functions.php<\/a> is where you placed most of your custom code anyway, you\u2019re more likely to be reminded of what you\u2019ve done. And this still doesn\u2019t deal with the issue of losing all XML-RPC services.<\/span><\/p>\n
Method 4 \u2013 Disable only Pingbacks<\/h3>\n
This is the most convenient solution to the problem. Instead of removing all XML-RPC performance, we only disable the pingback service which causes all of the security issues in the first place. As above, insert the following into your functions.php file:<\/span><\/p>\n
<\/div>\n
\n
function disable_xmlrpc_ping ($methods) {\r\nunset( $methods['pingback.ping'] );\r\nreturn $methods;\r\n}\r\nadd_filter( 'xmlrpc_methods', 'disable_xmlrpc_ping');<\/pre>\n<\/div>\n
<\/div>\n
This rule eliminates the pingback parameter from the $methods argument passed to our custom function. It will maintain your site cannot be used as part of a bigger botnet playing a DDoS strike.<\/span><\/p>\n
If you\u2019re interested in maintaining XML-RPC performance on your WordPress<\/a> weblog, I suggest these all methods. If you want to disregard XML-RPC entirely, you have to choose one of the others based upon on whether you want to prioritized performance or good programming methods.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"
WordPress has a very practical performance that allows it to be manipulated through external sources using the xmlrpc.php file. […]<\/p>\n
Continue Reading…<\/a><\/p>\n","protected":false},"author":2,"featured_media":5809,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1,13],"tags":[],"class_list":["post-5807","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cpanel","category-wordpress"],"yoast_head":"\nSecuring WordPress by Disabling XML-RPC Pingbacks - cPanel Plesk<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/cpanelplesk.com\/wp62\/securing-wordpress-disabling-xml-rpc-pingbacks\/\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:title\" content=\"Securing WordPress by Disabling XML-RPC Pingbacks - cPanel Plesk\" \/>\n<meta name=\"twitter:description\" content=\"WordPress has a very practical performance that allows it to be manipulated through external sources using the xmlrpc.php file. [...]Continue Reading...\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/cpanelplesk.com\/wp62\/wp-content\/uploads\/2017\/06\/disable-XML-RPC-pingback.jpg\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Seemab Saleem\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/cpanelplesk.com\/wp62\/securing-wordpress-disabling-xml-rpc-pingbacks\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/cpanelplesk.com\/wp62\/securing-wordpress-disabling-xml-rpc-pingbacks\/\"},\"author\":{\"name\":\"Seemab Saleem\",\"@id\":\"https:\/\/cpanelplesk.com\/wp62\/#\/schema\/person\/73d573cc7eaaf6625cf0dbd72191a648\"},\"headline\":\"Securing WordPress by Disabling XML-RPC Pingbacks\",\"datePublished\":\"2017-06-19T08:11:54+00:00\",\"dateModified\":\"2021-02-01T06:25:12+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/cpanelplesk.com\/wp62\/securing-wordpress-disabling-xml-rpc-pingbacks\/\"},\"wordCount\":598,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/cpanelplesk.com\/wp62\/#\/schema\/person\/c78ae1cf9451a09592fb9697d69c0c13\"},\"image\":{\"@id\":\"https:\/\/cpanelplesk.com\/wp62\/securing-wordpress-disabling-xml-rpc-pingbacks\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/cpanelplesk.com\/wp62\/wp-content\/uploads\/2017\/06\/disable-XML-RPC-pingback.jpg\",\"articleSection\":[\"Cpanel\",\"WordPress\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/cpanelplesk.com\/wp62\/securing-wordpress-disabling-xml-rpc-pingbacks\/\",\"url\":\"https:\/\/cpanelplesk.com\/wp62\/securing-wordpress-disabling-xml-rpc-pingbacks\/\",\"name\":\"Securing WordPress by Disabling XML-RPC Pingbacks - cPanel Plesk\",\"isPartOf\":{\"@id\":\"https:\/\/cpanelplesk.com\/wp62\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/cpanelplesk.com\/wp62\/securing-wordpress-disabling-xml-rpc-pingbacks\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/cpanelplesk.com\/wp62\/securing-wordpress-disabling-xml-rpc-pingbacks\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/cpanelplesk.com\/wp62\/wp-content\/uploads\/2017\/06\/disable-XML-RPC-pingback.jpg\",\"datePublished\":\"2017-06-19T08:11:54+00:00\",\"dateModified\":\"2021-02-01T06:25:12+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/cpanelplesk.com\/wp62\/securing-wordpress-disabling-xml-rpc-pingbacks\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/cpanelplesk.com\/wp62\/securing-wordpress-disabling-xml-rpc-pingbacks\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/cpanelplesk.com\/wp62\/securing-wordpress-disabling-xml-rpc-pingbacks\/#primaryimage\",\"url\":\"https:\/\/cpanelplesk.com\/wp62\/wp-content\/uploads\/2017\/06\/disable-XML-RPC-pingback.jpg\",\"contentUrl\":\"https:\/\/cpanelplesk.com\/wp62\/wp-content\/uploads\/2017\/06\/disable-XML-RPC-pingback.jpg\",\"width\":225,\"height\":224},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/cpanelplesk.com\/wp62\/securing-wordpress-disabling-xml-rpc-pingbacks\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/cpanelplesk.com\/wp62\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Securing WordPress by Disabling XML-RPC Pingbacks\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/cpanelplesk.com\/wp62\/#website\",\"url\":\"https:\/\/cpanelplesk.com\/wp62\/\",\"name\":\"cPanel Plesk\",\"description\":\"Blog on famous hosting control panels\",\"publisher\":{\"@id\":\"https:\/\/cpanelplesk.com\/wp62\/#\/schema\/person\/c78ae1cf9451a09592fb9697d69c0c13\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/cpanelplesk.com\/wp62\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\/\/cpanelplesk.com\/wp62\/#\/schema\/person\/c78ae1cf9451a09592fb9697d69c0c13\",\"name\":\"Farooq Omer\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/cpanelplesk.com\/wp62\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/cpanelplesk.com\/wp62\/wp-content\/uploads\/2020\/11\/cpanelplesk.png\",\"contentUrl\":\"https:\/\/cpanelplesk.com\/wp62\/wp-content\/uploads\/2020\/11\/cpanelplesk.png\",\"width\":300,\"height\":44,\"caption\":\"Farooq Omer\"},\"logo\":{\"@id\":\"https:\/\/cpanelplesk.com\/wp62\/#\/schema\/person\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/cpanelplesk.com\/wp62\/#\/schema\/person\/73d573cc7eaaf6625cf0dbd72191a648\",\"name\":\"Seemab Saleem\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/cpanelplesk.com\/wp62\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/6a87ff2e53b03e6839250e5278a6bd46?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/6a87ff2e53b03e6839250e5278a6bd46?s=96&d=mm&r=g\",\"caption\":\"Seemab Saleem\"},\"description\":\"Linux Server Administrator, Web Hosting engineer. I'm dealing with Linux servers since 2014. I started this blog to share the work i love with the world . let me know if you need any assistance. Thanks!!\",\"sameAs\":[\"https:\/\/cpanelplesk.com\/wp62\"],\"url\":\"https:\/\/cpanelplesk.com\/wp62\/author\/cmb\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Securing WordPress by Disabling XML-RPC Pingbacks - cPanel Plesk","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/cpanelplesk.com\/wp62\/securing-wordpress-disabling-xml-rpc-pingbacks\/","twitter_card":"summary_large_image","twitter_title":"Securing WordPress by Disabling XML-RPC Pingbacks - cPanel Plesk","twitter_description":"WordPress has a very practical performance that allows it to be manipulated through external sources using the xmlrpc.php file. [...]Continue Reading...","twitter_image":"https:\/\/cpanelplesk.com\/wp62\/wp-content\/uploads\/2017\/06\/disable-XML-RPC-pingback.jpg","twitter_misc":{"Written by":"Seemab Saleem","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/cpanelplesk.com\/wp62\/securing-wordpress-disabling-xml-rpc-pingbacks\/#article","isPartOf":{"@id":"https:\/\/cpanelplesk.com\/wp62\/securing-wordpress-disabling-xml-rpc-pingbacks\/"},"author":{"name":"Seemab Saleem","@id":"https:\/\/cpanelplesk.com\/wp62\/#\/schema\/person\/73d573cc7eaaf6625cf0dbd72191a648"},"headline":"Securing WordPress by Disabling XML-RPC Pingbacks","datePublished":"2017-06-19T08:11:54+00:00","dateModified":"2021-02-01T06:25:12+00:00","mainEntityOfPage":{"@id":"https:\/\/cpanelplesk.com\/wp62\/securing-wordpress-disabling-xml-rpc-pingbacks\/"},"wordCount":598,"commentCount":0,"publisher":{"@id":"https:\/\/cpanelplesk.com\/wp62\/#\/schema\/person\/c78ae1cf9451a09592fb9697d69c0c13"},"image":{"@id":"https:\/\/cpanelplesk.com\/wp62\/securing-wordpress-disabling-xml-rpc-pingbacks\/#primaryimage"},"thumbnailUrl":"https:\/\/cpanelplesk.com\/wp62\/wp-content\/uploads\/2017\/06\/disable-XML-RPC-pingback.jpg","articleSection":["Cpanel","WordPress"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/cpanelplesk.com\/wp62\/securing-wordpress-disabling-xml-rpc-pingbacks\/","url":"https:\/\/cpanelplesk.com\/wp62\/securing-wordpress-disabling-xml-rpc-pingbacks\/","name":"Securing WordPress by Disabling XML-RPC Pingbacks - cPanel Plesk","isPartOf":{"@id":"https:\/\/cpanelplesk.com\/wp62\/#website"},"primaryImageOfPage":{"@id":"https:\/\/cpanelplesk.com\/wp62\/securing-wordpress-disabling-xml-rpc-pingbacks\/#primaryimage"},"image":{"@id":"https:\/\/cpanelplesk.com\/wp62\/securing-wordpress-disabling-xml-rpc-pingbacks\/#primaryimage"},"thumbnailUrl":"https:\/\/cpanelplesk.com\/wp62\/wp-content\/uploads\/2017\/06\/disable-XML-RPC-pingback.jpg","datePublished":"2017-06-19T08:11:54+00:00","dateModified":"2021-02-01T06:25:12+00:00","breadcrumb":{"@id":"https:\/\/cpanelplesk.com\/wp62\/securing-wordpress-disabling-xml-rpc-pingbacks\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/cpanelplesk.com\/wp62\/securing-wordpress-disabling-xml-rpc-pingbacks\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cpanelplesk.com\/wp62\/securing-wordpress-disabling-xml-rpc-pingbacks\/#primaryimage","url":"https:\/\/cpanelplesk.com\/wp62\/wp-content\/uploads\/2017\/06\/disable-XML-RPC-pingback.jpg","contentUrl":"https:\/\/cpanelplesk.com\/wp62\/wp-content\/uploads\/2017\/06\/disable-XML-RPC-pingback.jpg","width":225,"height":224},{"@type":"BreadcrumbList","@id":"https:\/\/cpanelplesk.com\/wp62\/securing-wordpress-disabling-xml-rpc-pingbacks\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/cpanelplesk.com\/wp62\/"},{"@type":"ListItem","position":2,"name":"Securing WordPress by Disabling XML-RPC Pingbacks"}]},{"@type":"WebSite","@id":"https:\/\/cpanelplesk.com\/wp62\/#website","url":"https:\/\/cpanelplesk.com\/wp62\/","name":"cPanel Plesk","description":"Blog on famous hosting control panels","publisher":{"@id":"https:\/\/cpanelplesk.com\/wp62\/#\/schema\/person\/c78ae1cf9451a09592fb9697d69c0c13"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/cpanelplesk.com\/wp62\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/cpanelplesk.com\/wp62\/#\/schema\/person\/c78ae1cf9451a09592fb9697d69c0c13","name":"Farooq Omer","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cpanelplesk.com\/wp62\/#\/schema\/person\/image\/","url":"https:\/\/cpanelplesk.com\/wp62\/wp-content\/uploads\/2020\/11\/cpanelplesk.png","contentUrl":"https:\/\/cpanelplesk.com\/wp62\/wp-content\/uploads\/2020\/11\/cpanelplesk.png","width":300,"height":44,"caption":"Farooq Omer"},"logo":{"@id":"https:\/\/cpanelplesk.com\/wp62\/#\/schema\/person\/image\/"}},{"@type":"Person","@id":"https:\/\/cpanelplesk.com\/wp62\/#\/schema\/person\/73d573cc7eaaf6625cf0dbd72191a648","name":"Seemab Saleem","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cpanelplesk.com\/wp62\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/6a87ff2e53b03e6839250e5278a6bd46?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/6a87ff2e53b03e6839250e5278a6bd46?s=96&d=mm&r=g","caption":"Seemab Saleem"},"description":"Linux Server Administrator, Web Hosting engineer. I'm dealing with Linux servers since 2014. I started this blog to share the work i love with the world . let me know if you need any assistance. Thanks!!","sameAs":["https:\/\/cpanelplesk.com\/wp62"],"url":"https:\/\/cpanelplesk.com\/wp62\/author\/cmb\/"}]}},"_links":{"self":[{"href":"https:\/\/cpanelplesk.com\/wp62\/wp-json\/wp\/v2\/posts\/5807","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cpanelplesk.com\/wp62\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cpanelplesk.com\/wp62\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cpanelplesk.com\/wp62\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/cpanelplesk.com\/wp62\/wp-json\/wp\/v2\/comments?post=5807"}],"version-history":[{"count":0,"href":"https:\/\/cpanelplesk.com\/wp62\/wp-json\/wp\/v2\/posts\/5807\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cpanelplesk.com\/wp62\/wp-json\/wp\/v2\/media\/5809"}],"wp:attachment":[{"href":"https:\/\/cpanelplesk.com\/wp62\/wp-json\/wp\/v2\/media?parent=5807"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cpanelplesk.com\/wp62\/wp-json\/wp\/v2\/categories?post=5807"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cpanelplesk.com\/wp62\/wp-json\/wp\/v2\/tags?post=5807"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}