So what is XML-RPC and why is it a good idea to disable
XML-RPC for WordPress was designed to enable remote connections between your
site and external applications. This means, users are able to interact with their
WordPress site through different blogging platforms or phone apps. This was
useful in the earlier days of the internet, when a person would want to edit
content offline, and then connect to their WordPress blog later to publish it.
There are certain situations where users would wan to use XML-RPC. However,
with advances in technology, the use and functionality of XML-RPC has been
greatly reduced since its inception. As such, the original pros that this feature
gave, has become outweighed by the potential security risks that are involved by
leaving it enabled.
WHY SHOULD I DISABLE XML-RPC?
As eluded to in the previous section, there are security risks associated with
leaving XML-RPC enabled. These can include:
Brute Force Attacks - Where an attacker can use xml-rpc to test hundreds of
username and password combinations until they are eventually able to gain
access to your site. This occurs because xml-rpc does not have the same login
attempt limit that exists when you log into WordPress normally.
DDoS Attack - Where an attacker can use xml-rpc to pingback thousands of IPs.
This allows them to send a flood of data and traffic which can cause overages and
even have networks paralyzed and shutdown.
METHOD 1 - Plugin
1: Log into your WordPress Admin Dashboard
2: Click on PLUGINS >> ADD NEW
3: Search for "Disable XML-RPC and Install the "Disable XML-RPC Plugin"
Simply activate the plugin and you are done! XML-RPC is now disabled.