What is XML-RPC?

The XML-RPC is an XML based protocol and it is used to exchange information between a computer system over a network. The XML-RC was invented by Dave Winer in 1998. The XML-RPC uses HTTP protocol for transport and it allows complex data structures to be transmitted and processed.

The XML-RPC mainly used to integrate multiple computing environments without the need to share complex data structures directly. XML-RPC establishes faster communication between computers over a network easily. XML-RPC is used in Perl, Java, Python, C, C++, PHP, and many other programming languages.

When a client handles any of the parts of your WordPress website remotely, you require an XMLRPC file access. An XML-RPC message is actually an HTTP-POST request. There are requests and responses in which the request’s body will be in XML format. A procedure executes this on a server and it will return a value. This value will also be in an XML format. The procedure parameters can be numbers, strings, scalars, etc.

What is Xmlrpc.php file and why should be disabled?

XML-RPC is a feature in WordPress that enables data transmission with HTTP as a transport mechanism and XML as the encoding mechanism. As WordPress is not a self-enclosed system, it needs to communicate with other systems occasionally to handle that job. For example, if you need to post on the website from a mobile device, you can use the remote access feature enabled by xmlrpc.php to do it. This xmlrpc.php file allows to connect the website through the smartphone and also implements trackbacks and pingbacks from other functions associated with the Jetpack plugin and also from the other websites.

But due to XML-PRC, there is a chance for security concerns. There is no direct security issue with XML-RPC but it is due to the files which can be used to enable brute force attacks on the website. The hacker will try to access your website with xmlprc.php file with various combinations of username and password. They can use a single command to test with hundreds of different passwords. Thus, it will allow them to break the security rules and causes a brute force attack.

Another risk was to take the website offline through a DDoS attack. The pingback feature in WordPress will be used by hackers to send pingbacks to thousands of websites simultaneously. So, this feature in xmlrpc.php will give support to hackers with an endless supply of IP addresses to distribute a DDoS attack.

Steps to Disable XML-RPC File in cPanel:

If XML-RPC is running on your website, then it can be checked through a tool called XML-RPC validator. This XML-RPC can be disabled in the WordPress websites with the help of plugins or manually through File Manager in cPanel. Let us see the below steps to disable XML-PRC file in cPanel.

Step 1: Login in your cPanel with a valid username and password.

Step 2: Navigate to file manager and go to root folder. Then access the folder ‘public_html’.

Step 3: Find the .htaccess file in the public_html directory or create a new .htaccess file. In case, you don’t see the file, it’s a hidden file and you need to change the settings to display hidden files by navigating to the gear button icon from the top-right corner.

Step 4: Once you find the .htaccess file, right-click on it and choose the Edit button.

Step 5: After clicking the button you can see a new popup appears to allow you to disable encoding. Then click on the Edit button, and a new tab appears in the browser.

Step 6: Copy and Paste the below code in the .htaccess file.

# Block XML-RPC
<Files xmlrpc.php>
order deny,allow
deny from all
allow from // IP

Now, the file xmlrpc.php will be disabled on your website completely. It will make your website secured and reduces the security threats in your website. For more information, like us on social media such as Facebook and Twitter. For video tutorials, subscribe to our YouTube channel “ServerCake India”.

Tagged in: