Categories
Code PHP

Disabling WordPress XMLRPC.php

One of the sites that we manage was getting a large amount of traffic to xmlrpc.php reported by newrelic.com. It was causing the database connection to fall over and was bringing down the site. As we are not using this functionality on our site we can assume this traffic is suspicions.

“XML-RPC is a simple, portable way to make remote procedure calls over HTTP. It can be used with Perl, Java, Python, C, C++, PHP and many other programming languages. Implementations are available for Unix, Windows and the Macintosh.”
http://tldp.org/HOWTO/XML-RPC-HOWTO/xmlrpc-howto-intro.html

A quick google search also brings back a lot of results of WordPress XML-RPC exploits, including New Brute Force Attacks Exploiting XMLRPC in WordPress.

Since wordpress 3.5 they have enabled xmlprc by default and don’t let you disable it via the admin anymore. As the site was down we wanted to get the site back up and running. The easiest way to do this was to blocked all traffic to xmlrpc.php via .htaccess with the following code:


<Files "xmlrpc.php">
Order Allow,Deny
deny from all
</Files>

A bit of a search turned up a way to also disable to module. By simply adding the following to your themes functions.php we are able to turn it off.


add_filter( 'xmlrpc_enabled', '__return_false' );

There is also a plugin for this https://wordpress.org/plugins/disable-xml-rpc/, though all it does is the above. So if you don’t want heaps of plugins just add the above code to your functions.php.

A quick restart of apache to kick all the users and traffic returned to normal.

So unless you are using XML-RPC I recommend disabling it.


EDIT.

It appears XML-RPC can also be used to perform DoS attacks on old versions of WordPress.
http://mashable.com/2014/08/06/wordpress-xml-blowup-dos/

Leave a Reply