How XML-RPC can affect WordPress Security

XML-RPC is a WordPress API that allows WordPress site-owners functionality, while on-the-go. But how does it affect WordPress sites’ security?

XML-RPC attack_WordPress mobile

What is XML-RPC, and why is it such a big deal?

The ‘XML-RPC’ is an API that enables developers create WordPress ‘apps’ (like clients, plugins and themes), that allow you to make remote HTTP requests to your WordPress site.

This means, as a WordPress site owner, if you used a plugin or client that had WordPress XML-RPC support, you would be able to perform a number of functions without actually logging in to your WordPress site.

Some of the functions you would be able to perform on your site with these plugins or clients would include:

  1. Post-related functions like creation, publication, edition and deletion
  2. Media-related functions that include uploading files, and viewing the media library
  3. User-related functions, such as editing your profile, getting a list of authors for a post, etc.
  4. Comment-related functions such as listing comments, and editing them

There are a number of Weblog Clients and WordPress plugins that allow you to do this. Some of the popular ones include the Jetpack plugin for WordPress.org, clients like rubypress, and WordPress Sharp; and even WordPress’ own app for both Android and iOS. Since all of these functionalities make life easier, WordPress has had XML-RPC enabled by default, since WordPress 3.5. (WordPress’ latest update was WordPress 4.6, so it’s been a while). Obviously these tools would still need you to input your WordPress admin username and password for them to work, so they seem safe.

How does it pose a security risk?

However,  anyone can use the XML-RPC API to make these requests. Using the API, a script can make multiple requests simultaneously to your site. This makes it a convenient choice for attackers who would want to launch a attacks against your site.

One application for this functionality, would be to try with different combinations of usernames and passwords while having substantially lower chances of getting detected. This makes XML-RPC  an ideal approach for Brute Force attacks.

Unlike hacks that focus on vulnerabilities in software, a Brute Force Attack aims at being the simplest kind of method to gain access to a site: it tries usernames and passwords, over and over again, until it gets in. Often deemed ‘inelegant’, they can be very successful when people use passwords like ‘123456’ and usernames like ‘admin.’

Even if you have passwords consisting of a minimum of 10-15 alphanumeric characters and special characters, there is one more threat – DDoS.

DDoS is a type of Denial Of Service (DOS) attack where many infected websites or systems are used to attack a single website and bring it down, by overwhelming the target website with requests. This results in the website’s server denying service, as a result of shutting down (… hence the term).

Actually, in March 2014, a number of WordPress sites experienced an attack involving ‘pingback’. Pingback, is an XML-RPC functionality (especially on WordPress), that allows you to see where links to your WordPress posts are used. This is done by the sites with shared links pinging the source of the link. The source site then replies (or pings them back) with the live link (so that if the post is taken down, it would show you a ‘404 error’, or if it’s been updated, the newer version of the post would be displayed). So when attackers used XML-RPC requests to perform the DDoS attack in 2014, they exploited the pingback functionality, and used thousands of other sites to ping victim sites. Once all the thousand sites starts pinging the victim site simultaneously, the server ran out of resources and the site went down.

Do you have to disable XML-RPC?

Well, it depends. WordPress identified the XML-RPC API abuse, and has made its laws stricter. Plugins like Akismet that help detect spam, have also gotten better at detecting attacks like the one involving pingback. But the bottom line is that there is no way to make your WordPress site 100% attack-proof.

So yes, an easy way to make your site safer, would be to disable the XML-RPC API. For this, one can use  security plugins, such as iThemes Security (formerly Better WP Security), or NinjaFirewall.

However, before making this choice,it is very important to understand that turning this API off can affect the functionality of some plugins and apps that you might be using in conjunction with WordPress. This will disable the WordPress mobile app and severely affect the functionality of plugins like Jetpack, from accessing your site.

This is why it’s always important to have several backups of your WordPress site before you test the change to see if you’re okay with it. If you’d rather keep the functionality on, you can choose from a previous version of your site, and roll back changes to a fully-functional version of your site.

Making an integral change to your site is never easy, but it’s always better when you have all the facts. Which choice have you gone with, on your WordPress site? Let us know in the comments!