Should You Disable XML-RPC on WordPress?
This entry was posted in WordPress Security on October 12, 2015 by Mark Maunder 54 Replies
A few questions came up in our recent blog post, where we discuss XML-RPC brute force attacks, about disabling XML-RPC on WordPress. To allay any confusion, we thought we would describe exactly what XML-RPC does and whether you should consider disabling it.
XML-RPC on WordPress is actually an API or “application program interface“. It gives developers who make mobile apps, desktop apps and other services the ability to talk to your WordPress site. The XML-RPC API that WordPress provides gives developers a way to write applications (for you) that can do many of the things that you can do when logged into WordPress via the web interface. These include:
- Publish a post
- Edit a post
- Delete a post.
- Upload a new file (e.g. an image for a post)
- Get a list of comments
- Edit comments
For a full list of the WordPress API functions available to developers via XML-RPC, take a look at this page on the WordPress codex.
If you disable the XML-RPC service on WordPress, you lose the ability for any application to use this API to talk to WordPress.
Lets use an example to illustrate: You have an app on your iPhone that lets you moderate WordPress comments. Someone advises you to disable XML-RPC. Your iPhone app suddenly stops working because it can no longer communicate with your website using the API you just disabled.
To us, disabling XML-RPC comes with a cost. You are disabling a major API in WordPress. We briefly provided this capability, but removed the feature because WordPress’s own API abuse prevention has improved. Furthermore, providing the ability to disable XML-RPC caused confusion among users when their applications broke because they could not access the API.
Jetpack is one of the most popular plugins for WordPress and relies heavily on XML-RPC to provide its features. It is developed by Automattic, makers of WordPress. If you visit the “Known Issues” page for Jetpack, you’ll notice they discuss how certain security plugins can impact Jetpack features if you use them to disable XML-RPC.
The following two kinds of attacks on XML-RPC have received press coverage during the past 2 years.
- DDoS via XML-RPC pingbacks. This is actually not a very effective form of DDoS and anti-spam plugins like Akismet have gotten good at spotting this kind of abuse.
- Brute force attacks via XML-RPC. These are completely ineffective if you’re using Wordfence because we simply block the attacker after they reach the login attempt limit.
If you still want to disable XML-RPC, there are several plugins to choose from in the official WordPress repository. You will lose any XML-RPC API functionality that your applications rely on. We don’t disable XML-RPC on our own sites.
We hope this has been helpful and cleared up some confusion we’ve seen in our comment threads. As always we very much welcome your comments below.