WordPress uses XML-RPC to let users perform a lot of operations on their sites remotely. It lets you access your site using the mobile app for WordPress. You can create a post on your blog remotely using one of the popular weblog clients. They are also used to implement trackbacks and pingbacks which let you link your site to other interesting websites. However, many WordPress attacks are exploiting the XML-RPC feature to gain access to sites. So disabling the XML-RPC feature on your site is something that’s worth considering.
Brute force attacks in WordPress involved repeated login attempts via the login/admin page. However, login using the standard WordPress login page can be secured in many ways. Undeterred by this, attackers have found another way of launching brute force attacks that is very hard to detect, by using XML-RPC. All XML-RPC requests are authenticated so that you can modify the site securely. The attackers exploit this to try endless number of username/ password combinations until they gain entry into your site. While the methods like limit login attempts and CAPTCHA are effective at blocking login attempts from the WordPress login page, they do not protect you against XML-RPC attacks.
DDoS (Distributed Denial of Service) is another form of attack that can be made by exploiting the XML-RPC feature. In fact, if you have pingbacks enabled, you site could be attacking another site right now and you wouldn’t even know about it. A single attacker can use thousands of popular and clean WordPress sites to launch a DDOS attack on your site with a simple ping back request to the XML-RPC file. These endless requests will hog the server and slow your site down, or may even lead to a crash. In most cases, however, your host will shut you down before any of that happens.
One of the simplest ways to protect yourself is to disable the XML-RPC feature on your site. There are many plugins (BulletProof Security, Disable XML-RPC, Remove XML-RPC Pingback Ping etc) that’ll let you do this very easily. However, there are many apps and plugins that use XML-RPC for their own functioning. For example,
- WordPress Mobile App
- Various photo gallery plugins
If your site uses any of these apps, you must consider enabling only those parts of XML-RPC that are absolutely needed. For instance, the Remote XML-RPC Pingback Ping plugin can be used to only turn off pingbacks on your site instead of the entire XML-RPC feature. You could also opt for a website firewall for best protection against brute force attacks.