WordPress includes a program called xmlrpc.php to control WordPress from the outside. In this article, I would like to write about this file and its security.
What is xmlrpc.php used for?
xmlrpc.php provides a variety of functions to control WordPress from other programs or from outside the site, rather than from the admin panel. Examples include.
- Create posts by email
- Edit a post
- Delete a post
- Uploading files
- Adding and Deleting Comments
- Edit comments
- Pingback (This is a feature that notifies the linker of the link)
Security for xmlrpc.php
Because xmlrpc provides external control of WordPress, its functionality can be abused by hackers. The following are examples of how hackers can exploit this functionality.
DDoS attacks (site down by sending a large number of packets, denying access)
Obtaining administrative privileges from login enforcement by brute force using dictionaries
Continuous posting of spam comments
Site tampering after looting of administrative privileges, installation of backdoors
XMLRPC offers some useful features, but at the same time, it has increased vulnerability for WordPress. WordPress Doctor believes that XMLRPC functionality should be completely disabled for security reasons.
How do I stop xmlrpc.php?
The xmlrpc.php functionality can be stopped by various plugins, such as Wordfence Security, All In One WP Security & FirewalliThemes Security , and other security plugins that include such functionality.
Is it safe to stop xmlrpc.php?
No. The email posting and pingback functions will be disabled. Also, some plug-ins use XMLRPC functionality and may not work properly.
In particular, jetpack uses XMLRPC in various aspects, so please note that the following functions may become unavailable. However, many functions will work. It is very unlikely that you will get an error and not be able to view your site.
Various functions of the integration with WordPress.com (access statistics function of the site after the integration works)
Public size sharing
● Access to normal administrative functions (403 errors are generated when pages are displayed)
Blank lines or warnings appear on pages and administration screens.
Related Articles
WordPress Vulnerability Assessment Security Scanner