Understanding XML-RPC in WordPress

XML-RPC is a remote procedure call protocol that utilizes XML to encode its calls and HTTP as a transport mechanism. Historically, it was integrated into WordPress to allow external applications (like the WordPress mobile app or desktop blogging clients) to interact with your website. However, the architecture of XML-RPC introduces native functionalities that can be weaponized by malicious entities to launch distributed amplification attacks.

The Pingback Attack Vector

The primary bug associated with XML-RPC is the abuse of the pingback.ping method. A pingback notifies a site when another site links to it. Attackers can send a crafted XML-RPC request to thousands of legitimate WordPress sites simultaneously, instructing them to check a target URL for a link. This causes thousands of innocent servers to suddenly flood a single target website with HTTP requests, knocking the target offline in a massive Distributed Denial of Service (DDoS) attack.

Securing XML-RPC Functions

If you do not require external publishing apps, the safest strategy is to restrict or disable XML-RPC:

  • Disable XML-RPC via Code: Add the filter add_filter( 'xmlrpc_enabled', '__return_false' ); to a custom plugin or your theme's functions.php file to turn off the protocol.

  • Block via .htaccess or Nginx: Prevent requests from reaching xmlrpc.php entirely at the server level. In Apache, add a <Files xmlrpc.php> block with the directive Order Deny,Allow and Deny from all.

  • Use Modern Alternatives: Transition your remote workflows to the built-in WordPress REST API, which utilizes secure, modern authentication tokens and is not susceptible to pingback amplification bugs.