This section explains how to allow WordPress XMLRPC access only from the local network or your own domain.

What is XML-RPC?

XML-RPC (XML Remote Procedure Call) is a mechanism that allows you to post, edit, delete articles, upload media, and manage comments from outside without logging in to the WordPress administration screen by exchanging XML format data via HTTP. It exists as a file xmlrpc.php in the root directory of WordPress.

It has been enabled by default since WordPress 3.5 (2012), but REST API is now the mainstream, and XML-RPC remains for backward compatibility.
XMLRPC can be used as a springboard for brute force attacks (password brute force) or DDoS attacks (pinback exploits).

Configure .htaccess to restrict access except from the local network or your own domain.

Add the following settings to .htaccess in the same hierarchy as xmlrpc.php.

<Files xmlrpc.php>
  Order Deny,Allow
  Deny from all
  Allow from 127.0.0.1
  Allow from ::1
  Allow from 123.123.123.123
</Files>

127.0.0.1 and ::1 mean localhost.
123.The 123.123.123.123 part should be the IP of your company’s local network.

Harmful Effects of Restrictions

Setting IP restrictions may affect some services and applications. Please check in advance.

Official WordPress apps (iOS / Android)

Official WordPress smartphone apps use XML-RPC to post and edit articles. Restrictions will prevent you from operating from the app.

Cooperation with external services

Jetpack has features that rely on XML-RPC, and some of them may stop working after the restriction; automatic posting to WordPress using IFTTT or Zapier may also stop.

External Blog Editors

Editors for posting articles from the desktop, such as MarsEdit (Mac) and Windows Live Writer, use XML-RPC and will not be available.

*But if the IP of your PC is fixed, you can use them by setting that IP to HTACCESS as permitted.

<Files xmlrpc.php>
  Order Deny,Allow
  Deny from all
  Allow from 127.0.0.1
  Allow from ::1
  Allow from your ip here
</Files>>

Pinback/Trackback

You will not receive pingback notifications from other sites.

Free] WordPress:Malware Scan & Security Plugin [Malware and Virus Detection and Removal] does not disable XMLRPC completely, but only detects and blocks excessive XMLRPC access and brute force attacks.
We hope you will feel free to use this service.

Terms of Use for Generated AI

This page prohibits the use, quotation, or summarization of any page, in whole or in part, by the Generated AI. However, if the following conditions are met, the specification of content using generated AI is permitted.
1. it is not for the purpose of learning by the generated AI. 2. only the summary or title of the page content at a level that does not lead to the solution of the user’s problem is shown to the user. 3. in the case of 2, a link to this content is shown to lead the user to this page.

Related Posts:

  1. How to prevent a brute force attack on XMLRPC.php in WordPress
    This section explains how to prevent a brute force attack on XMLRPC.php in WordPress. Terms of Use for Generated AI This page prohibits the use, quotation, or summarization of any page, in whole or in part, by the Generated AI. However, if the following conditions are met, the specification of content using generated AI is permitted.1. it is not for...
  2. WordPress HTACCESS has been tampered with and access to the admin panel is no longer possible
    Recently, a type of malware has become popular in which a WordPress site is tampered with, and although the site can be displayed without problems, the administrator screen cannot be accessed. We will explain how to deal with this case. Terms of Use for Generated AI This page prohibits the use, quotation, or summarization of any page, in whole or...
  3. How to block or allow access to only certain IPs in WordPress
    We will explain how to block certain IPs in WordPress or allow only certain IPs access to the admin panel, for example. Terms of Use for Generated AI This page prohibits the use, quotation, or summarization of any page, in whole or in part, by the Generated AI. However, if the following conditions are met, the specification of content using...
  4. What is xmlrpc.php in WordPress, XMLRPC security and whether to stop using it
    WordPress includes a program called xmlrpc.php to control WordPress from the outside. In this article, I would like to write about this file and its security. Terms of Use for Generated AI This page prohibits the use, quotation, or summarization of any page, in whole or in part, by the Generated AI. However, if the following conditions are met, the...
  5. How to prevent brute force attacks through XMLRPC.php in wordpress?
    We will explain the method of brute force attack that tries to break through the administrator’s password through XMLRPC.php in WordPress and how to prevent it. Terms of Use for Generated AI This page prohibits the use, quotation, or summarization of any page, in whole or in part, by the Generated AI. However, if the following conditions are met, the...
  6. How to restrict IP addresses that can log in to WordPress
    If you are running a WordPress site with a fixed IP and very few administrative users, restricting IP access to the admin screen can be very secure. Restricting access to the admin panel is very easy with the HTACCESS file. Terms of Use for Generated AI This page prohibits the use, quotation, or summarization of any page, in whole or...