Enter your email address to get free access to STORM

No Credit Card Details Required.


Improving WordPress security with default blocking of XML-RPC

Written By

Tim Dunton

Published on

November 4, 2019


Features, Security

A very common reason for downtime or compromised websites is down to a feature in WordPress called XML-RPC. XML-RPC is used as a remotely accessible publishing tool using an offline blogging tool. This was very popular in the early days of WordPress when broadband speeds were much slower, as it made publishing much faster. However, these days it is very rarely used and causes far more problems than it solves.

The vulnerability in XML-RPC is that a hacker can use this functionality to make repeated calls to WordPress to try lots of different admin usernames and passwords. This is called a brute force attempt, which causes two problems. Firstly, a hacker could use this to work out your WordPress login and then log in to the WordPress admin to do what they like.

Secondly, these repeated calls or brute forces, can put lots of traffic on the server hosting the website. This traffic can stop the website from running and therefore no websites on this server will load up.

Typically, hackers will notice the server has stopped responding and stop their repeated attempts. Once the server is back online there will usually be no record of why the server went down unless someone goes through the log files.

We noticed this was such a common issue that we issued a fix from inside STORM. To prevent this from happening in STORM, we disable access to xml-rpc.php.  We currently only do this on adding a new website rather than on any previous added websites. However, we recommend enabling it on any WordPress website where you don’t use XML-RPC. This feature can be easily disabled and enabled via the website configuration in STORM.

Subscribe via email