It is a good time to write about XML-RPC as there has been a lot of controversy in the last several weeks about DDOS or Brute Force attacks to this WordPress interface.
What is XML-RPC and what it is for?
According to the WordPress Codex, “With WordPress XML-RPC support, you can post to your WordPress blog using many popular Weblog Clients. The XML-RPC system can be extended by WordPress Plugins to modify its behavior.”
XML-RPC functionality is turned on by default since WordPress 3.5, you can easily find it in “Writing -> Remote Publishing”
So what do you need XML-RPC enabled and what can you do with it?
A plugin or App (Like the Mobile WordPress app) can do many of the things that you can do when logged into WordPress via the web interface. These may include:
- Publish a post
- Edit a post
- Delete a post.
- Upload a new file (e.g. an image for a post)
- Get a list of comments
- Edit comments
If you disable XML-RPC you will loose the ability To do that remotely, you will need to log in in your WordPress dashboard and do any of those things listed before.
Thing is, XML-RPC seems to be not so secure at all. In fact there were some controversy in the WordPress trac ticket (Some sort of WordPress developers ticketing system) Regarding a WordPress core developer Andrew Nacin that suggested to XML-RPC needed to be removed entirely. That was 3 years ago, nothing really happened and the interface is still here with us.
But lately, like a couple of weeks ago, The Funders of Securi and Wordfence (two great and reliable security Plugins sistems for WordPress “confirmed the reports that a new type of Brute Force login attack was being carried out on a massive scale against WordPress sites around the world using XML-RPC. Apparently, hackers have wised up to the fact that wp-login.php is often well protected”. You can read both articles here and here
Some hosting companies started to permanently Block XML-RPC because the problems didn’t seem to stop, and many hosting companies followed that suggestion.
You don’t need to disable it, at all, you can use a plugin like WordFence (There are others like iThemes, but I use WordFence and it works for me), to stop hackers to attack your XML-RPC interface in your site, even the free version of Wordfence can do that, so if you want to help your hosting, go to wordfence.com read about it, learn a little and use it. You will be helping your hosting company to help you better.