• Skip to primary navigation
  • Skip to main content

Managed WordPress Security for Pennies a Day. Call (619) 479-6637

Managed WordPress Security with Heart

MENUMENU
  • Why HackGuard.com? Why Choose HackGuard.com?
  • HackGuard.com WordPress Managed Services Rates WordPress Managed Services Rates
  • HackGuard.com Articles HackGuard Articles Library
    • Hack Guard Customer Testimonials
    • Top 20 WordPress Plugins to Avoid
    • How to Improve Junk Email Filtering at Gmail
    • WordPress 6.0.3 Security Release – Updated?
    • Why Should I Maintain My Own WordPress Website’s Backups?
    • About that “Weekly jQuery Migrate Status Update” email
    • How to Change a WordPress User from Subscriber to Administrator Role
    • WordPress 4.9.3 – Going into the tunnel and never coming out…
    • How Do I Migrate WordPress to a Different Domain Name?
    • Community Blogging: A Short Guide
    • WordPress Troubleshooting and How to Fix WordPress Errors
    • Is My Web Host Secure? Maybe not…
    • How to remove the subdirectory name from your WordPress website address
    • How can I improve the performance of my WordPress website?
    • How can I improve the performance of my WordPress blog (Part 2)
    • Protecting WordPress Against Brute Force Attacks
    • How do I reset my WordPress password?
    • How To Clear Cron Jobs in WordPress
    • xmlrpc.php and Pingbacks and Denial of Service Attacks, Oh My!
    • Free Website Monitoring Services, well, mostly free...
    • How to choose a secure web hosting company for a WordPress website
    • WordPress 404 Page Setup - Do You Have Five Minutes?
    • Can mod_pagespeed Improve Page Load Speed (external link)?
    • Yoast WordPress SEO Settings and Recommendations
    • Is Your Mom Missing Her BUMM?

xmlrpc.php and Pingbacks and Denial of Service Attacks, Oh My!

 

Did you know your website could be used to attack other websites?

Or, has your website displayed this message:

“Resource Limit Is Reached. The website is temporarily
unable to service your request as it 
exceeded
resource limit. Please try again later”

Or, worst:

“500 Internal Server Error”

 

If so, XML-RPC Support or specifically your WordPress xmlrpc.php file may very well have been the reason why.

What is this article about?

My goal in writing this article is to clarify what XML-RPC protocol is about, share a bit of history, and provide some quick tips for enabling or disabling XML-RPC Support.

Update, August 2014:
The WordPres 3.9.2 security update was intended to minimize the impact of excessive connections to the xmlrpc.php script.


Here’s the rub, XML-RPC Support, a.k.a., remote publishing, was “OFF” by default in versions of WordPress prior to 3.5.  xmlrpc.phpIn December 2012, the WordPress folks, believing they had fixed the XML-RPC security issues from earlier that year, forced the default XML-RPC protocol setting to “ON.” And, for good measure then removed the option to turn it off within the WordPress dashboard. Zoinks!

Then, later in 2013, distributed denial of service attacks using the xmlrpc mechanism were confirmed again by Incapsula, WordPress Default Leaves Millions of Sites Exploitable for DDoS Attacks.

Without going into a long treatise on how or why the XML-RPC protocol can be used and abused, let’s talk about whether you need to leave it “ON” (or OFF!).

  • Do you use any of the applications listed on this WordPress Codex page, use Jetpack, or do you care about pingbacks and trackbacks?

If you are not sure what pingbacks or trackbacks are about there are lot of great articles written on this subject. I recommend trying a Google search for the phrase, “why should I care about pingbacks.”

 

I couldn’t care less about XML-RPC protocol or pingbacks or trackbacks, or Jetpack

  • Then install these plugins: Disable XML-RPC and if not using a CDN like Cloudflare, install Bad Behavior as well.

If you would prefer to not use plugins and wish to kill the loading of the xmlrpc.php file completely, just add this snippet of text to your .htaccess file:

RewriteRule ^xmlrpc.php$ "http://0.0.0.0/" [R=301,L]

This null routing method will use less server resources than removing or denying access to the script; which would result in a 404 “file not found” request and additional resources respectively.

 

I loves my XML-RPC protocol, pingbacks and trackbacks, or Jetpack

For those of us who find Jetpack indispensable, and fully disabling xmlrpc.php is not an option, try one of these two options:

  • Disable XML-RPC plugin. The Disable XML-RPC plugin was written to disable the XML-RPC API, but does not disable the trackbacks and pingbacks required by Jetpack and other mobile applications.
  • Remove XMLRPC Pingback Ping should likewise allow JetPack and WordPress Mobile Applications to operate without error.

Alternately, to disable only pingbacks and trackbacks, while leaving the XML-RPC protocol operational:

  1. Delete the wp-trackback.php file:
    /public_html/wp-trackback.php
  2. Then disallow notifications by going to
    http://your_site.com/wp-admin/options-discussion.php

And uncheck “Allow link notifications from other blogs (pingbacks and trackbacks)“

That should give you back much of the XML-RPC system flavor, without the bad pingback taste.

Alternatively, if Jetpack is your friend (today), instead of denying all access to xmlrpc.php, you can just as easily whitelist the JetPack IP addresses, while denying the rest. This way you’ll retain your Jetpack mojo, while serving up a dead page to begger bots:

<Files xmlrpc.php>
Order Deny,Allow
Deny from all
Allow from 192.0.64.0/18
Satisfy All
ErrorDocument 403 http://127.0.0.1/
</Files>

 *If, for example, you are publishing updates from your iPhone using your local WiFi connection you would enter in your local Internet connection IP address to allow access. Hint: Google “What is my IP”

 

And Enjoy!

I’ve posted a few basic article links below. Likewise, if you have questions just pick up the phone and call anytime, Jim Walker, The Hack Repair Guy, (619) 479-6637

  • How to Block Bots from Seeing your Website – Bad Bots and Drive-by Hacks Explained
  • Protecting WordPress Against Brute Force and Denial of Service Attacks
  • WordPress Security Plugins Revealed

 

 

HackGuard.com | Managed WordPress Update Service

 

Like this:

Like Loading...

Filed Under: Call (619) 479-6637

Reader Interactions

Please feel free to comment via WordPress, Twitter, Facebook or Google+ Cancel reply

Proactive WordPress Security Management for Pennies a Day™

© Copyright 2022 HackGuard.com™, HackRepair.com™,
The Hack Repair Guy™, Hack Repair Guy™
Copyright and Trademark Statement | Privacy Policy

Call HackRepair.com for website security help, (619) 479-6637.
Content Approved By Jim Walker, The Hack Repair Guy
%d bloggers like this: