XML-RPC Settings

XML-RPC Settings

Configure XML-RPC methods to increase the security of your website:

Build-in features could be used for malicious purposes and cannot be disabled by default.

• Disable GET access
  • XML-RPC API only responds to POST requests. Direct GET access is not needed and can be used to fingerprint websites and use them as XML-RPC zombies in later attacks.
• Disable system.multicall
  • system.multicall method can be misused for amplification attacks.
• Disable system.listMethods
  • system.listMethods method can be used for verifying attack scope.

Prevent malicious actors from enumerating usernames and credentials.

• Disable authenticated methods
  • Methods requiring authentication, such as wp.getUsersBlogs, are often used to brute-force your passwords.

Pingbacks are a helpful feature to discover back-links to your posts but can be misused for DDoS attacks or allow fingerprinting your WP version.

• Disable pingbacks
  • Pingbacks are generally safe, but are often used for DDoS attacks via system.multicall.
• Remove X-Pingback header
  • If you decide to disable pingbacks, it’s a good practice to remove the X-Pingback header return by your posts.
• Hide WordPress version when verifying pingbacks
  • Pingbacks’ user-agent can reveal your exact WordPress version, even when hidden by other plugins.
• Hide WordPress version when sending pingbacks
  • Pingbacks’ user-agent can reveal your exact WordPress version, even when hidden by other plugins.

Unnecessary XML-RPC API, leave enabled if you are not sure.

• Disable Demo API
  • Remove demo.sayHello and demo.addTwoNumbers methods, as they are not needed.
• Disable Blogger API
  • WordPress supports the Blogger XML-RPC API methods.
• Disable MetaWeblog API
  • WordPress supports the metaWeblog XML-RPC API.
• Disable MovableType API
  • WordPress supports the MovableType XML-RPC API.

If you are using some integrations or WP mobile applications, it might be a good idea to allow XML-RPC only to specific IPs.

• Allow XML-RPC only for
  • IP comma separated eg. 192.168.10.242, 192.168.10.241

It is possible to hide a message between the allowed methods when system.listMethods is called (not recommended).

• Add message to XML-RPC methods
  • We are hiring! Check jobs.yourdomains.com