WordPress is the most popular Content Management System. This popularity makes WordPress a perfect target for hackers. The most common attack faced by a WordPress site is XML-RPC attack. The WordPress XML-RPC is a specification that aims to standardize communications between different systems. It uses HTTP as the transport mechanism and XML as encoding mechanism which allows for a wide range of data to be transmitted. Today in this tutorial I will show you how to protect your WordPress from XML-RPC attack.
The Problems with XML-RPC
The two biggest assets of the API is its extendability and its security. XML-RPC authenticates with basic authentication. It sends the username and password with each request.
XML-RPC Attacks
Randomly “Error establishing database connection” error is displaying on the WordPress site.
“Out of memory” error in web console.
“Cannot open the file no such file/directory” error in web server error log.
“POST /xmlrpc.php HTTP/1.0” error in webserver access log.
Blocking XML-RPC attack
If you don’t use XML-RPC at all, perhaps the best thing you can do is disable it via plug-in or you can do this with code by adding the following to a plugin or theme:
add_filter( 'xmlrpc_enabled', '__return_false' );
Add Following code in .htacess file
<files xmlrpc.php>
order allow,deny
deny from all
</files>
OR
location ~* ^/xmlrpc.php$ {
return 403;
}
How to check WordPress XML-RPC?
If your try to open http://example.com/xmlrpc.php, it will show forbidden.
