If you’re the curious type and you look at the files that make up WordPress, you may have noticed a file with a slightly strange name.
Lurking in the shadows, it leaves the center stage to the famous wp-config.php or wp-login.php, to name but a few. In this article, however, we’re going to turn the spotlight on it. This is the xmlrpc.php file in WordPress.
This file is how you benefit from the XML-RPC protocol on WordPress. The XM… what? Hang in there — you’ll find out all about it in this handy post.
And you’ll see that for security reasons, it’s often better to deactivate this famous protocol, which can quickly become more trouble than it’s worth.
That’s all for this intro. Continue reading below to learn more.
Overview
Your best WordPress projects need the best host!
WPMarmite recommends Bluehost: great performance, great support. All you need for a great start.
What is XML-RPC on WordPress?
Definition of XML-RPC
XML-RPC is a protocol that allows software running on different operating systems and environments (Windows, Mac OS X, GNU/Linux, etc.) to communicate with each other over the Internet using a remote call procedure.
As the official XML-RPC website explains, XML-RPC uses “HTTP as the transport and XML as the encoding. XML-RPC is designed to be as simple as possible, while allowing complex data structures to be transmitted, processed and returned.”
To better understand what this protocol is made of, let’s take a look at it:
- XML stands for eXtensible Markup Language. It’s a general-purpose mark-up language — like HTML — used to store and share data between different systems.
- RPC (Remote Procedure Call) is “when a computer program causes a procedure to execute in a different address space,” Wikipedia explains.
So much for the general definition. Let’s now look at the implications of the XML-RPC protocol for WordPress.
A protocol natively embedded in WordPress
More concretely, the XML-RPC protocol enables your WordPress site to communicate with external servers, such as third-party applications.
WordPress has had native support for XML-RPC since 2012, and even activates it by default on all sites running on versions 3.5 and above (previously, users had the choice of activating this functionality or not).
On WordPress, XML-RPC is an API. This is how other services can communicate with your WordPress site and exchange data.
API stands for Application Programming Interface. It allows software to connect to a different application or system so that they can exchange functionality, services, technologies, and data.
The well-known Jetpack plugin, for example, uses the XML-RPC protocol to connect your site to WordPress.com.
In practice, the XML-RPC specifications built into WordPress are contained in a file called xmlrpc.php, which is included in every fresh installation of WordPress.
You can find it in the folder containing all the basic WordPress files and directories, once you’ve downloaded it. The code looks something like this:
What is the xmlrpc.php file used for on WordPress?
Thanks to the xmlrpc.php file in WordPress, you can:
- Connect to your WordPress site using a smartphone, thanks to the WordPress application available on mobile (iOS and Android)
- Link your WP site to external systems such as automation tools like Zapier or IFTTT
- Enable pings and backlinks on your site. A ping is a signal sent by WordPress to another site, software, or server to indicate that you have just published new content (or updated it).
A trackback is a link created automatically between two articles.
Although the world’s most popular CMS (Content Management System) embeds the XML-RPC protocol natively, you will see that it is a good idea, most of the time, to deactivate this xmlrpc.php file on your WordPress site.
Find out why in the next section.
Why should you disable the xmlrpc.php file on WordPress?
Because it has been superseded by the REST API
The XML-RPC protocol is one of the old dogs, as they say. It was launched in April 1998, at a time when Dial-up internet was still widely used. That puts it in perspective, doesn’t it?
In the meantime, things have evolved very quickly and the XML-RPC protocol has lost popularity, overtaken by other technologies.
This is the case with the REST API, which has been part of the WordPress Core since the launch of version 4.7 in December 2016. It’s used, for example, by the WordPress content editor (Gutenberg).
REST is a software architecture for developing web services.
Aimed primarily at developers, this REST API transmits data in JSON format, whereas XML-RPC uses XML.
The REST API also enables WordPress to communicate with other sites and applications.
Sound familiar? That’s right: the REST API is capable of fulfilling the same role as your WordPress xmlrpc.php file… while being much more flexible and, above all, more powerful.
In short, the two (XML-RPC and the REST API) duplicate each other. In the vast majority of cases, you don’t need your xmlrpc.php file on your WordPress site.
The main reason why WordPress continues to offer an xmlrpc. php file even though it includes the REST API is for reasons of backward compatibility. Not all WP sites run on one of the latest versions, and XML-RPC is therefore required for certain operations.
Because it may represent a security risk for your site
In addition, the WordPress xmlrpc.php file can represent a security risk for your site. Don’t panic yet, though!
First of all, you should know that the XML-RPC protocol is secure. It’s not really the protocol itself that poses a problem, but rather the way in which it is used.
This exposes you to two major types of risk, likely to make your site more vulnerable.
Disabling the xmlrpc.php file can limit brute force attacks
Firstly, this protocol can be used to launch brute force attacks.
When a service tries to communicate with your WordPress site, your user name and password are transmitted in plain text (particularly when you want to connect remotely, for example via an application).
In this case, malicious robots can take advantage of the situation and try to discover the username and password of your site’s administrator account by testing different combinations, in order to take control of it.
These are known as brute force attacks. The WordPress REST API uses a more secure protocol than XML-RPC when sending a request to the server.
To combat brute force attacks, you can use a dedicated plugin such as Limit Login Attempts Reloaded. If you use a general-purpose security plugin — which WPMarmite highly recommends — such as iThemes Security or SecuPress, you can also take advantage of a dedicated option to limit this type of attack. Finally, remember to use strong passwords beforehand. To do this, use a password generator like the one offered by Avast or Dashlane.
Distributed denial-of-service attacks will no longer target your file
The other threat you may encounter is the resurgence of Distributed Denial of Service Service (DDoS) attacks. As you read earlier, the xmlrpc.php file allows you to activate pings and backlinks.
Hackers can take advantage of this to generate a large number of backlinks by exploiting the WordPress xmlrpc.php file, in order to crash your server, which is unable to process too many requests at once.
Your site then runs the risk of becoming unavailable for more or less a long time. This can have a very negative impact on your traffic and your sales, especially if you have a WooCommerce online shop.
In some cases, though this applies especially to large e-commerce and government sites, the perpetrators of denial-of-service attacks may also demand a ransom.
In summary, it’s advisable to disable XML-RPC in order to strengthen the security of your WordPress site.
Before we look at exactly how to do this, it’s important to be aware of a few situations in which disabling the WordPress xmlrpc.php file is not necessarily a good idea.
To reinforce the security of your site, back it up regularly and remember to update it as soon as possible. To do this, you can use a tool like WP Umbrella, which combines various functions dedicated to site maintenance within the same dashboard. This is very practical if you’re used to managing several sites at once, especially for your customers.
WP Umbrella : Manage all your WordPress websites under one dashboard
Update your themes and plugins, monitor and backup your WordPress sites effortlessly.
When should you keep an active xmlrpc.php file?
Deactivating the WordPress XML-RPC protocol is a good idea most of the time, unless you are in one of the following situations:
- You are using a version of WordPress lower than 4.7. This means that the REST API is not integrated into the WordPress core. XML-RPC will then be required to use certain functions.
If this applies to you, I recommend that you upgrade to the latest version of WordPress as soon as possible, particularly for security reasons. - You are using a third-party application or software that communicates with WordPress only using the XML-RPC protocol and does not support the REST API.
In principle, there is very little chance that you will be in one of these situations, but you never know.
How do you know if the xmlrpc.php file is active on your WordPress site?
Before taking action and showing you how to deactivate your xmlrpc.php file on WordPress, it’s a good idea to check that this file is active on your site.
To do this, you can use an online tool offered by the World Wide Web Consortium (W3C).
Enter the URL of your site (e.g. that of the home page) in the field called “Address,” then click on the “Check” button:
If the XML-RPC protocol is inactive, you will see the following message:
On the other hand, if it’s active on your site, you will see this on your screen:
In this case, you can deactivate it using the instructions below.
How to disable XML-RPC on WordPress
Before doing anything, back up your site to make sure you can restore it in the event of a problem. To do this, you can use a backup plugin like UpdraftPlus, or an all-in-one tool like WP Umbrella, which we mentioned earlier.
At this stage, you might be thinking: “OK, that’s easy: all I have to do is delete the xmlrpc.php file from my site’s root directory and I’ll be rid of this thing”.
If this idea ever occurs to you, don’t put it into practice. You run the risk of incompatibilities between certain plugins, and also of certain malfunctions.
When it comes to how to proceed, you have two options on the table:
- Using a plugin, recommended for beginners and people who don’t want to touch the code
- The manual method, for experienced developers and technicians.
How do I disable the xmlrpc.php file using a plugin?
To start with, let’s look at how to do this using a plugin. On the official WordPress plugin directory, there are several plugins for disabling the XML-RPC protocol on WordPress.
Disable XML-RPC (200K+ active installations) allows you to disable the XML-RPC protocol automatically. To do this, simply enable it on your administration interface.
Go to Plugins > Add New and type “Disable XML-RPC” in the search bar:
Install and activate the plugin, and you’re all set.
If you’d like a bit more control over the process, use one of the following plugins:
- Disable XML-RPC-API (90K+ active installations)
- stop XML-RPC Attacks (6K+ active installations)
Both plugins will allow you to choose which aspects of the protocol you deactivate, such as the pings or backlinks.
With Disable XML-RPC-API, for example, you just have to go to the XML-RPC Security > XML-RPC Settings menu after activating the plugin.
You can then choose to disable pingbacks:
If you use a general security plugin, check that it doesn’t already offer an option to deactive the WordPress XML-RPC API. iThemes Security, for example, offers this feature in its “Settings” menu (it’s also possible to deactivate pings). Then you have no need to activate an additional plugin.
How to deactive the xmlrpc.php file without a plugin
If you have the necessary skills and/or you’re not afraid to get your hands dirty, you can certainly deactivate the XML-RPC on WordPress using a line of code.
Only use this method if you know what you’re doing. If not, default to using a plugin. And in any case, remember to backup your site before taking any action.
How to deactivate the XML-RPC on WordPress using the .htaccess file
One method you can use relies on your .htaccess file. This file is usually in the root of your site, on your hosting server.
If you need to create an.htaccess file, check out our dedicated guide on the blog. You will also find various ways to customize the file and make your site more secure and higher-performing.
To do it, connect to your favorite FTP client (ex: FileZilla) using the username and password given by your hosting server.
Find the root file. The name of this file will differ based on your host.
Choose the .htaccess file by clicking on it, then right-click. Choose “View/Edit” and add the following line of code to the file after the # END WordPress comment line:
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>
Save the file and refresh your site to make sure everything is still working properly.
Whatever method you use (plugin or manual), if everything goes well, the xmlrpc.php file of WordPress won’t be active anymore.
You can quickly check this by using the tool offered by W3C that we mentioned earlier.
Without going into detail, since it’s pretty technical, you should know that you can also deactivate the WordPress xmlrpc.php file by creating a plugin that contains a specific filter with the following line of code: add_filter('xmlrpc_enabled', '__return_false');.
This is less recommended, but you can also add this snippet in the functions.php file of your child theme.
But again, this is just an FYI. Don’t try it if you don’t have the necessary knowledge and skills!
Join the WPMarmite subscribers
Get the last WPMarmite posts (and also exclusive resources).
Conclusion
Thanks to this post, you now understand the XML-RPC protocol and the xmlrpc.php file on WordPress much better.
To review, you learned:
- What the XML-RPC protocol is and how it impacts your WordPress site
- Why it’s useful to deactivate the protocol in the majority of cases
- How to deactivate the XML-RPC using a plugin or manually
In general, make sure you’re taking care of your site’s security. We suggested several classic good practices throughout these lines.
For you, where do you stand? Have you tried to deactivate the XML-RPC, or will you try it now? Share your opinion by leaving a comment.
Receive the next posts for free and access exclusive resources. More than 20,000 people have done it, why not you?
Continue reading
Articles posted in WordPress TutorialscPanel: Features and how to use this interface for your WordPress site
Need to modify the PHP version of your website? That’s where it happens. Need to create an email address? That’s where it happens too. Need to install an SSL certificate on short notice? Here again. Where? On your WordPress site’s…
How to redesign a WordPress website: the ultimate checklist
Aaah, the redesign of a WordPress website… When you think about the different issues that this mission involves, you usually tend to stress a bit. Who doesn’t dream, in this key moment, of doing a simple Command + Option +…
How to enable two-factor authentication on your WordPress site
A login + a password. Connecting to the WordPress administration interface is very simple, as long as you remember these two elements. From the point of view of the malicious person or robot that wants to access your site, it’s…