How to Protect WordPress from XML-RPC DDoS Attacks

What is RPC?

RPC (Remote Procedure Call) is a small extension to start connections call step between different applications or different machines.

What is XML-RPC?

Essentially it allows you, through the XML-RPC protocol to post, edit and publish pages from a desktop application like BlogDesk, MarsEdit and ScribeFire. In other words, its used for remotely publish your content from your desktop. Most users doesn’t need WordPress XML-RPC application, and it’s one of the most popular backdoor causes for attacking.

Whats is DDos attack ?

DDoS (Distributed Denial of Service) is an attempt to make an online website unavailable by crushing it with huge massive traffic from multiple sources.

What is the Best Ways to Protect WordPress from xmlrpc Brute Force Attacks?

There are many ways to block and disable access to xmlrpc as well as pingback and trackbacks, like .httacces and themes function modification or even plugin but i will try to explain it simply by the following 5 steps to prevent any confusing.

• Disable Pingback Function
• Remove xmlrpc.php Linkback
• Disable XML-RPC WordPress Plugin
• Modify Themes Function
• Block Access to xmlrpc by .httaccess

#1: How to Disable Pingback in your WordPress Setting?

First and simple step is disable pingbacks in your wordpress which is enabled by default, just open your site dashboard then go to Settings->Discussion and remove this option “Allow link notifications from other blogs (pingbacks and trackbacks)” then save your changes.

#2: How to Remove xmlrpc.php linkback from your header?

Open your site dashboard then go to Appearance->Editor->Header.php then Find and remove this line.

<link rel="pingback" href="<?php bloginfo( 'pingback_url' ); ?>">

#3: What is the Best Plugin to Disable XML-RPC API Service?

Disable XML-RPC plugin it just simply disables XML-RPC API in WordPress, which is enabled by default.
All you have to do, is just activate it after installation from Plugins->Add New and type “disable xml rpc pingback” in search box (developed By Philip Erb).

#4: Modify Themes function to block access for XML-RPC

If you don’t like to install additional plugin in your site, just add one of the following code at the end of your themes function file functions.php, keep in mind both codes do the same of the Disable XML-RPC plugin.

add_filter('xmlrpc_enabled', '__return_false');

OR

add_filter( 'xmlrpc_methods', function( $methods ) {
    unset( $methods['pingback.ping'] );
    return $methods;
} );

#5: How to Block Access to xmlrpc by .httaccess Modify?

if you would like to block access to xmlrpc.php file, just add following code at the end of .httaccess file

<IfModule mod_alias.c>
    RedirectMatch 403 /xmlrpc.php
</IfModule>

Alternate way for .httaccess file (its my favorite one)

<Files xmlrpc.php>
    Order Deny,Allow
    Deny from all
</Files>

if you would like to block access for everyone but allowed for your ip, use the following code and replace “11/22/33/44” with your own PC IP.

<Files xmlrpc.php>
    Order Deny,Allow
    Deny from all
    Allow from 11/22/33/44
</Files>

XMLRPC Best Practices

• Be smart and fight malicious attacks and don’t surrender.
• You have to learn daily for how to close all backdoors in your site.
• You have to be sure 100% of fix after each step completed by testing the results manually.
• Be ware of .httacces modification file because you may block other useful pages by mistake.