How to block requests to the wordpress xmlrpc function

In the last days my blog was under heavy attack on the WordPress xmlrpc.php file, a function that is one of the most common causes for exploits.

As a first measure I tried wordpress plug-ins like “Disable XML-RPC Pingback” and “Disable XML-RPC”. Unfortunately both plugins were not a solution against the attack.

So I decided to delete the xmlrpc file – a workaround that was ok until the automatic wordpress update was executed. The update rebuilt the xmlrpc.php file and the attack started again.

Finally I found a solution that worked (for me):

I use a .htaccess file to block all requests made to the xmlrpc.php.

Just add the following lines to a .htaccess file:

<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

Disadvantages:

Most users do not need the functionality of the XML-RPC. But some apps like the WordPress Mobile App needs it to work properly.

1 Comment

  1. Harish

    But client can delete htaccess, they do it a lot. WE use plugin now, can put must-use folder:

    https://wordpress.org/plugins/disable-xml-rpc-littlebizzy/

Leave a Comment

Your email address will not be published. Required fields are marked *