XML-RPC is a file included with each install of WordPress that enables data to be transmitted, with using HTTP protocols and XML as the encoding format. As WordPress iitself is not a "self-enclosed system" and occasionally needs to communicate with systems outside of its install, this file was added/created to handle such tasks.

As an example, If Your on vacation and you need to make a post and all you have is your mobile. WordPress has a remote access feature, using the xmlrpc.php file, to allow remote acces to make posts from a WordPress App. 

Mainly, xmlrpc.php enables you the ability to link your site with yoru SmartPhone, implementing trackbacks and pingbacks from other services, and even some functions associated with the Jetpack plugin if this is used.

Why XMLRPC.php

The XMLRPC allows remote connection to WordPress. Without it, various tools and publishing applications simply will not be able to access the website. Any updates or additions to the website would have to be made while logging directly into the system.

XMLRPC.php Current Status

Back in 2008 WordPress 2.6 had an selectable option to actually disable or enable the XMLRPC Feature. When WordPress relased the iphone APP this feature (xmlrpc) because a default setting that was unable to be turned off.  This remains valid still to this day - however there is plugins that will disable this (as well other ways which will be discussed later).

Since 2008 the usage and functionality of this file have greatly decreased. The overall sixe of this file has shrunken from its original 83KB down to 3KB so we know this file does not play as big of role now, as it used to.

XMLRPC.php and What's Next?

With WordPress constantly growing a larger community and the developers improving the software more and more everyday we can only expect the xmlrpc.php file to be eliminated completely in due time. Further on this; WordPress has a API currently in a trial phase to replace the xmlrpc.php file however this can only be enabled through the use of a plugin.  

We can certainly expect the new API to be coded directly in to the WordPress core in the nearing future, and this alone should eliminate the need for the xmlrpc.php file completely. Developers of themes and plugins would of course still need to update their code to work with this New API.

At this time the API is still in a trial phase and there is expected issues as they Developers work to improve this, but things are looking promining for this new API. Here is to hoping this API is the secure solution to the toroubles that xmlrpc produces.

The Good

By disabling this feature, you eliminate the risk of external attacks gaining access. Although the contributors to this platform attest the programming of XMLRPC is as secure as the rest of the core files of WordPress, some may feel safer by disabling this ability.

It’s like having a house with only one door. Adding a second door may be more convenient, but it creates another entry point that needs to be locked.

The Bad

The obvious downside to eliminating this feature is that remote access to WordPress will no longer be possible. This removes some of the functionality and versatility of the system. Instead of posting blogs from a different application automatically through remote access, any content and other changes would have to be made through logging directly into WordPress.

This can be problematic for those who like the idea of posting content directly from their mobile devices.

 The reality of it all...

For the most part, XMLRPC is only truly useful if you’re planning to use mobile apps or remote connections to publish content on your website. As mobile use has been such a prevalent way to access the Internet, many people will use remote apps to make developing their WordPress sites much easier.

This is also one of the reasons why developers put so much effort into fixing the problems with this feature’s coding in the past.

However, not everyone will need this ability enabled. Many aspects of the system work very well and are easy to use on smartphones or tablets. This is especially true since the core of WordPress works exceptionally well in a mobile environment.

Disabling this Bad Boy!

Its not all bad but when it's bad, OH BOY; It's Bad!

Why should you Dis-Able XMLRPC.php

The biggest issues with XML-RPC are the security concerns that arise. The issues aren’t with XML-RPC directly, but instead how the file can be used to enable a brute force attack on your site.

Sure, you can protect yourself with incredibly strong passwords, and WordPress security plugins. But, the best mode of protection is to simply disable it.

There are two main weaknesses to XML-RPC which have been exploited in the past.

The first is using brute force attacks to gain entry to your site. An attacker will try to access your site using xmlrpc.php by using various username and password combinations. They can effectively use a single command to test hundreds of different passwords. This allows them to bypass security tools that typically detect and block brute force attacks.

The second was taking sites offline through a DDoS attack. Hackers would use the pingback feature in WordPress to send pingbacks to thousands of sites instantaneously. This feature in xmlrpc.php gives hackers a nearly endless supply of IP addresses to distribute a DDoS attack over.

To check if XML-RPC is running on your site, then you can run it through a tool called XML-RPC Validator. Run your site through the tool, and if you get an error message, then it means you don’t have XML-RPC enabled.

If you get a success message, then you can stop xmlrpc.php with one of the two approaches below.

Method 1:

Disabling XMLRPC VIA .htaccess (recommended)

A lot of people have found a wide degree of success by using the .htaccess file to disable XMLRPC. The code itself is relatively simple and can be of great use if you don’t want to worry about new plugins.

To use .htaccess to disable the XMLRPC php function in WordPress:

Step 1: Go to the root folder of your WordPress website using FTP. The File Manager in cPanel can also be useful if you have it available.

Step 2: Find and edit the .htaccess file. In some versions of cPanel, this file will be hidden. You will need to set cPanel to view hidden files to access .htaccess.

Step 3: Add the following code:

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from 123.123.123.123
</Files>

Step 4: Save the .htaccess file.

It’s that simple. Now, anything remote using XMLRPC will be denied.

Method 2:

Disabling XMLRPC VIA a Plug-In 

While many things can be done at the coding level in WordPress, sometimes it’s just easier to use the right plugin. Today, we’re going to use Manage XML-RPC. This plugin is simple and does the job to enable and disable the XMLRPC whenever you wish.

To use this plugin:

Step 1: Go to the plugins area of your WordPress dashboard.

Step 2: Add a new plugin and search for, “Manage XML-RPC.”

Step 3: After installing and activating the plugin, a new feature will appear in the left side of your WordPress admin panel called, “XML-RPC Settings.” Click this link to open the plugin.

Step 4: Check the box to “Disable XML-RPC” if you want to remove the remote access abilities of WordPress. At any time, you can uncheck the box to re-enable it.

NOTE: Manage XML-RPC also comes with the ability to disable pingbacks. You can also set certain IP addresses to enable and disable the feature. This can be convenient if you want the service to work for specific applications or users based on their IP address.

Step 5: Once your selections have been made, click the “Save Changes” button on the bottom left of the screen.

This plugin gives you the ability to enable or disable XMLRPC for the entire site or just a handful of IP addresses. It’s a nice feature to have, especially if you want to block specific users from accessing XMLRPC through WordPress.

Here are a few other plugins you may be interested in:

Disable XML-RPC

The Disable XML-RPC plugin is a simple way of blocking access to WordPress remotely. It’s one of the most highly rated plugins with more than 60,000 installations. This plugin has helped many people avoid Denial of Service attacks through XMLRPC.

G2 Security

G2 Security gives you the ability to disable XMLRPC as well as other features to lock down WordPress. It uses Google Safe Browsing, vulnerability alerts from WPScan, can disable the file editor and removes unnecessary headers from the system. It may be a good solution for those looking for website security. It’s a plugin that may be worth adding to your site.

Conclusion

Overall, XML-RPC was a solid solution to some of the problems that occurred due to remote publishing to your WordPress site. However, with this feature came some security holes that ended up being pretty damaging for some WordPress site owners.

To ensure your site remains secure it’s a good idea to disable xmlrpc.php entirely. Unless you require some of the functions needed for remote publishing and the Jetpack plugin. Then, you should use the workaround plugins that allow for these features, while still patching the security holes.

In time, we can expect the features of XML-RPC to become integrated into the new WordPress API, which will keep remote access and the like, without sacrificing security. But, in the meantime, it’s a good idea to protect yourself from the potential XML-RPC security holes.