Skip to content

What is WordPress’s xmlrpc.php? About XMLRPC security and availability

WordPress includes a program called xmlrpc.php for controlling WordPress from outside. This time I would like to write about the explanation and security of this file.

What is xmlrpc.php used for?

xmlrpc.php provides various functions to control WordPress from other programs and sites, not from the administration screen. Examples include the following:

  • Compose post by email
  • Edit post
  • Delete post
  • Upload files
  • Add and delete comments
  • Edit comment
  • Pingback (This is a function that the link source notifies the link destination)

    xmlrpc.php security

    Since xmlrpc provides external WordPress control, its functionality can be exploited by hackers. Below is an example of this feature being exploited by hackers.

    ● DDoS attack (site down / denial access attack by sending a lot of packets)
    ● Obtain management authority from brute force login enforcement by dictionary
    ● Continuous posting of spam comments
    ● Falsification of sites after looting administrative authority, installation of backdoors

    How to stop xmlrpc.php?

    The function of xmlrpc.php can be stopped by various plug-ins.
    WordPress Doctor Malware Scan & Security Plug-in

    Is it OK to stop xmlrpc.php?

    The posting function by email and the pinback function will be disabled. Also, some plug-ins uses XMLRPC functions and the plug-ins may not work properly.
    In particular, please note that the following functions may not be available because jetpack uses XMLRPC in various aspects. However, many functions will work.

    ● Various functions of linking with WordPress.com (Access statistics function of the site after linking works)
    ● Public size sharing
    ● Access to normal management functions (causes a 403 error when the page is displayed)
    ● Blank lines and warnings appear on pages and management screens