One day I got a bunch of notifications from my WordPress security plugin that some IP addresses were blocked because of multiple incorrect login attempts. By itself, this is nothing to wonder at – after all, WordPress is the platform most targeted by hackers simply because it’s so popular. What was surprising, was that it shouldn’t have been possible on my site.
I use a special technique to hide my login page from anyone how doesn’t know an exact sequence of characters. It’s not just “site.com/wp-login.php”. So how come hackers were able to even attempt to log in? It didn’t make sense. So I pulled up the raw access logs from cPanel, and searched for the blocked addresses to see what they had accessed.
And of course, I should have seen it coming – it was xmlrpc.php.
What is xmlrpc.php?
Complex details aside, XML-RPC is a special protocol that allows 3rd parties to interact with your site. With it, you can make connections to other sites, and integrate their features with yours. The popular Jetpack plugin is probably the most conspicuous user of XML-RPC, but other sites can be as well.
While a great idea in theory, the fact is that xmlrpc.php is a favorite target for attackers. Since it provides a programmatic way to login, attackers can literally attempt to log in hundreds of times in a very short period. This is unlike a regular web page, where you first need to wait for the page to load etc.
If you don’t take any measures, XML-RPC attacks will slow down your site, might get you penalized by your web host, and possibly compromise your security.
Method 1: Enable the Jetpack Protection Module
This is probably the most “lite” step to take. You probably already have Jetpack installed on WordPress. If you don’t, you should! It’s got a bunch of useful features, and can also double up as a CDN. Once you’ve installed it, click the Settings on the left-hand side of the admin dashboard and go to the “Security” tab. Here, scroll down till you see the section “Brute force attack prevention”, and turn the switch on as shown here:
Jetpack will take some measures to ensure that brute force attacks via XML-RPC will be stopped before they become a problem. This doesn’t disable XML-RPC, but tries to prevent its abuse.
But it might not be enough.
Method 2: Block XML-RPC Entirely
The second idea is to simply block XML-RPC. Other than Jetpack, you probably don’t use it anyway. And if you don’t have Jetpack, best to disable it altogether.
To do this, open your .htaccess file. It’s not easy to do this from WordPress, but if you have the Yoast SEO plugin installed, there’s an easy way. Just go to “SEO” in the dashboard, click “Tools”, and choose the “File editor” as shown here:
This will allow you to edit your .htaccess file. Paste the following code into it and save your changes.
<files xmlrpc.php> Order allow,deny Deny from all </files>
This will simply deny access to xmlrpc.php to everyone. Problem solved! But what if you want to use Jetpack? Since it’s such a popular plugin, we need a way to allow Jetpack’s servers to access XML-RPC.
Method 3: Whitelisting Jetpack
Instead of the code above, we can whitelist Jetpack’s IP address range using the following code:
<Files xmlrpc.php> Order allow,deny Allow from 220.127.116.11/18.104.22.168 Deny from all Satisfy All ErrorDocument 403 http://127.0.0.1/ </Files>
Now whenever someone tries to directly access xmlrpc.php, they’ll see this:
And that’s it! You’ve successfully secured your site from XML-RPC attacks!