Understanding WordPress XML-RPC

It is a good time to write about XML-RPC as there has been a lot of controversy in the last several weeks about DDOS or Brute Force attacks to this WordPress interface.

What is XML-RPC and what it is for?
According to the WordPress Codex, “With WordPress XML-RPC support, you can post to your WordPress blog using many popular Weblog Clients. The XML-RPC system can be extended by WordPress Plugins to modify its behavior.”
XML-RPC functionality is turned on by default since WordPress 3.5, you can easily find it in “Writing -> Remote Publishing”

So what do you need XML-RPC enabled and what can you do with it?
A plugin or App (Like the Mobile WordPress app) can do many of the things that you can do when logged into WordPress via the web interface. These may include:

  • Publish a post
  • Edit a post
  • Delete a post.
  • Upload a new file (e.g. an image for a post)
  • Get a list of comments
  • Edit comments

If you disable XML-RPC you will loose the ability To do that remotely, you will need to log in in your WordPress dashboard and do any of those things listed before.

The Problem
Thing is, XML-RPC seems to be not so secure at all. In fact there were some controversy in the WordPress trac ticket (Some sort of WordPress developers ticketing system) Regarding a WordPress core developer Andrew Nacin that suggested to XML-RPC needed to be removed entirely. That was 3 years ago, nothing really happened and the interface is still here with us.

But lately, like a couple of weeks ago, The Funders of Securi and Wordfence (two great and reliable security Plugins sistems for WordPress “confirmed the reports that a new type of Brute Force login attack was being carried out on a massive scale against WordPress sites around the world using XML-RPC. Apparently, hackers have wised up to the fact that wp-login.php is often well protected”. You can read both articles here and here

Some hosting companies started to permanently Block XML-RPC because the problems didn’t seem to stop, and many hosting companies followed that suggestion.

The solution
You don’t need to disable it, at all, you can use a plugin like WordFence (There are others like iThemes, but I use WordFence and it works for me), to stop hackers to attack your XML-RPC interface in your site, even the free version of Wordfence can do that, so if you want to help your hosting, go to wordfence.com read about it, learn a little and use it. You will be helping your hosting company to help you better.

Looking for quality WordPress hosting? Check out Arvixe Web Solutions.

Tags: , , , | Posted under WordPress | RSS 2.0

Author Spotlight

Facu Puig

I make websites since 1997, I use Adobe since 2004 and Wordpress since 2007. Fascinated by design at the age of 8, thanks to my father, a multi award winner graphic designer.

Leave a Reply

Your email address will not be published. Required fields are marked *