• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

Startup Hero

The Official Blog Of Name Hero

Learn To Fly Above The Competition Get Started
  • HomeWelcome
  • CoursesVideo Training Center
  • About UsWhat is StartupHero?
  • BlogGet the latest
  • Start HereStartup 101
  • SpeakingPodcast & Media
  • ResourcesTools to help You
    • Reselling WordPress Hosting
    • Resell Hero
    • How To Start A Blog
  • NameHeroCloud Web Hosting

How To Safely Disable XMLRPC In WordPress (While Keeping Jetpack)

By Bhagwad Park on January 23, 2019 10

How To Safely Disable XMLRPC In WordPress (While Keeping Jetpack)

One day I got a bunch of notifications from my WordPress security plugin that some IP addresses were blocked because of multiple incorrect login attempts. By itself, this is nothing to wonder at – after all, WordPress is the platform most targeted by hackers simply because it’s so popular. What was surprising, was that it shouldn’t have been possible on my site.

I use a special technique to hide my login page from anyone how doesn’t know an exact sequence of characters. It’s not just “site.com/wp-login.php”. So how come hackers were able to even attempt to log in? It didn’t make sense. So I pulled up the raw access logs from cPanel, and searched for the blocked addresses to see what they had accessed.

And of course, I should have seen it coming – it was xmlrpc.php.

What is xmlrpc.php?

Complex details aside, XML-RPC is a special protocol that allows 3rd parties to interact with your site. With it, you can make connections to other sites, and integrate their features with yours. The popular Jetpack plugin is probably the most conspicuous user of XML-RPC, but other sites can be as well.

While a great idea in theory, the fact is that xmlrpc.php is a favorite target for attackers. Since it provides a programmatic way to login, attackers can literally attempt to log in hundreds of times in a very short period. This is unlike a regular web page, where you first need to wait for the page to load etc.

If you don’t take any measures, XML-RPC attacks will slow down your site, might get you penalized by your web host, and possibly compromise your security.

Method 1: Enable the Jetpack Protection Module

This is probably the most “lite” step to take. You probably already have Jetpack installed on WordPress. If you don’t, you should! It’s got a bunch of useful features, and can also double up as a CDN. Once you’ve installed it, click the Settings on the left-hand side of the admin dashboard and go to the “Security” tab. Here, scroll down till you see the section “Brute force attack prevention”, and turn the switch on as shown here:

Jetpack will take some measures to ensure that brute force attacks via XML-RPC will be stopped before they become a problem. This doesn’t disable XML-RPC, but tries to prevent its abuse.

But it might not be enough.

Method 2: Block XML-RPC Entirely

The second idea is to simply block XML-RPC. Other than Jetpack, you probably don’t use it anyway. And if you don’t have Jetpack, best to disable it altogether.

To do this, open your .htaccess file. It’s not easy to do this from WordPress, but if you have the Yoast SEO plugin installed, there’s an easy way. Just go to “SEO” in the dashboard, click “Tools”, and choose the “File editor” as shown here:

This will allow you to edit your .htaccess file. Paste the following code into it and save your changes.

<files xmlrpc.php>
Order allow,deny
Deny from all
</files>

This will simply deny access to xmlrpc.php to everyone. Problem solved! But what if you want to use Jetpack? Since it’s such a popular plugin, we need a way to allow Jetpack’s servers to access XML-RPC.

Method 3: Whitelisting Jetpack

Instead of the code above, we can whitelist Jetpack’s IP address range using the following code:

<Files xmlrpc.php>
Order allow,deny
Allow from 192.0.64.1/192.0.127.254
Deny from all
Satisfy All
ErrorDocument 403 http://127.0.0.1/
</Files>

Now whenever someone tries to directly access xmlrpc.php, they’ll see this:

And that’s it! You’ve successfully secured your site from XML-RPC attacks!

Bhagwad Park Profile Picture
Bhagwad Park

I’m a NameHero team member, and an expert on WordPress and web hosting. I’ve been in this industry since 2008. I’ve also developed apps on Android and have written extensive tutorials on managing Linux servers. You can contact me on my website WP-Tweaks.com!

Reader Interactions

Comments

  1. MishiG says

    April 24, 2019 at 9:54 pm

    Hi Bhagwad!
    It seems to be working almost perfectly, but it does not show 403 just an empty page at this IP http://127.0.0.1/. Do I need to change this ip in the file?

    Reply
    • Bhagwad Park says

      April 29, 2019 at 12:29 am

      What you can do is create a 403.html file in your directory and use that URL instead of http://127.0.0.1/ in the .htaccess file.

      Reply
  2. Alex Neihaus says

    May 1, 2019 at 7:35 pm

    Or, instead of causing a redirect just have Apache output some text:
    …
    ErrorDocument 403 Forbidden!
    …

    For example: https://www.yobyot.com/xmlrpc.php

    Nice tip

    Reply
    • Marcus says

      August 4, 2020 at 7:30 pm

      How did you end up setting up the block for xmlrpc? I would like to do something similar, since I’m getting a lot of unwanted requested and I can’t disable xmlrpc because of jetpack.

      Thanks,

      Reply
  3. Julian says

    August 18, 2019 at 9:39 pm

    Hey Bhagwad,
    Jetpack support told me that their IP address can and is likely to change in the future so, we would have to check and update this rule to make sure Jetpack still works.

    Reply
    • Bhagwad Park says

      August 19, 2019 at 1:07 pm

      This is true. Unfortunately, Automattic doesn’t maintain a textfile with their current IP list like Cloudflare, so this rule might need to be updated at regular intervals…

      Reply
  4. Arsie Organo Jr says

    September 18, 2019 at 6:55 am

    Hi Bhagwad,

    If I use this code below:

    Order allow,deny
    Deny from all

    I just want to confirm if it will also block me from trying to login remotely to my wp-admin page?

    Reply
  5. Steve Ervin says

    November 8, 2019 at 3:59 pm

    how would you use the remote admin panel plugins with this?

    Reply
  6. Eric says

    May 8, 2020 at 1:27 am

    I have blocked xml-rpc and Jetpack still works.

    Reply
  7. Grant Crawley says

    November 12, 2020 at 4:19 am

    Automattic does have an official file with the Jetpack IP range, you can get it from https://jetpack.com/ips-v4.txt

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Primary Sidebar

Connect With Us!

Superhero Resources

Fix Common Issues

  • How To Setup Free And Automatic SSL Certificates
  • How To Setup Cloudflare With Railgun
  • How To Fix Memory Exhausted Errors In WordPress
  • How To Edit PHP Version/Upload Limit/Add Extensions
  • How To Move/Migrate Your Business To Name Hero

Free Guides

  • How To Setup NameHero Hosting
  • How To Create A Web Hosting Business With WordPress
  • How To Start A WordPress Blog
  • How To Migrate WordPress To A VPS
  • How To Speed Test And Optimize Your WordPress Website
  • Magento 2.X Installation Guide
  • How To Clean Up A WordPress Hack

Training

Recent Posts

  • Preventing Malware With WordPress Plugin Updates
  • How To Add A Subdomain In Cloudflare
  • WordPress Should Do More For Core Web Vitals
  • Is it Time to Disable Your RSS Feeds?
  • The Dangers Of FTP – Use With Extreme Care (Or Avoid)!
  • 3 Great Reasons To Use Subdomains
Subscribe in a reader
  • Web Hosting
  • WordPress Hosting
  • Reseller Hosting
  • VPS Hosting
  • Twitter
  • Facebook
  • LinkedIn
  • YouTube
  • FTC Disclosure
  • Earnings Disclosure
  • Privacy Policy

Copyright © 2021 · Smart Passive Income Pro on Genesis Framework · WordPress · Log in