Disable XML-RPC WordPress Exploit

Hello everyone, today I’m going to show you how to Disable XML-RPC WordPress Exploit. Not a lot of people know that one of WordPress’s vulnerability is the XML-RPC file.

Disable XML-RPC

What is xmlrpc.php?

Before i show how to block it, i want to explain wait it is. Here’s a quote from its official founder:

It’s remote procedure calling using HTTP as the transport and XML as the encoding. XML-RPC is designed to be as simple as possible, while allowing complex data structures to be transmitted, processed and returned.

In short, it’s a way to transfer big amounts of XML structured data. However, this can be a problem. by default, WordPress comes and runs with XML-RPC mechanism. Meaning, a hacker could exploit this breach And brute force the heck out of your website. And no, a Loginizer plugin or any other limiting login attempts won’t work. This is due to the simple fact, with XML-RPC requests a hacker can send hundreds of requests without raising a red flag. Ultimately, if they will try long enough they will succeed.

Moreover, you can read more about the nature of XML-RPC here. Without further delay, now that we know what it is, i will show you how to defend against it.

Disable XMLRPC

Copy and paste code snippet onto your .htaccess file:

# Disallow all WordPress xmlrpc.php requests to this domain
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

Simply put, we disable requests from outside. Resulting in a 403 if you try to send any request to it from outside. Finally, making you safe from this kind of attacks! However, we want to make sure, go to your browser’s URL bar and type your website’s URL followed by a “/” and “xmlrpc.php” like so: /xmlrpc.php

If you did everything right you will get a 403 page. Your’e set.

Final Words

Well, i hope this code snippet helped you out. I can’t stress out how important it is to disable this vulnerability. Finally, if you liked this snippet and would like to browse more code snippets, visit this link.

Leave a Reply

Your email address will not be published. Required fields are marked *