From the very beginnings of WordPress, there have been features that allow you to interact remotely with your site. These same features build your community by allowing other bloggers to reference your posts. At the core of all of this is XML-RPC.<\/p>\n
XML-RPC, or XML Remote Procedure Call,\u00a0powers these features in WordPress:<\/p>\n
But there\u2019s a problem with XML-RPC that you need to resolve to secure your WordPress site.<\/p>\n
Back in the early days of blogging (long before WordPress existed), most writers on the Internet were still using dial-up connections to surf the web. It was hard to write posts and get them up. The solution was to write on your computer offline and copy\/paste your prose, and perhaps a graphic or two to your blog. Folks who were using a word processor found this method somewhat troublesome, as their text often had extraneous codes attached, even if you saved a document as HTML.<\/p>\n
Blogger created an application programming interface (API) to allow other developers to access Blogger blogs. Enter the offline blog client, which allowed users to type posts offline and then connect to Blogger API-enabled blogs through XML-RPC. Other blogging systems followed suit, and there was eventually a MetaWeblogAPI that standardized basic access.<\/p>\n
Jumping forward a decade or so, today we all use apps on our phones and tablets instead of our computers. One of the things that people like to do with their phones is post to their WordPress sites. In 2008-09, Automattic obliged by creating WordPress apps for pretty much every mobile operating system (even Blackberry and Windows Mobile).<\/p>\n
These apps allowed you, through the XML-RPC interface, to use your WordPress.com credentials to log in to any WordPress site you had user rights to.<\/p>\n
This happens by way of the Remote Procedure Calls \u2013 that is what RPC stands for.<\/p>\n
And now you should be thinking \u201cOh, no. What happens if someone else gets my password?\u201d The answer isn’t pretty: that \u201csomeone else\u201d can do everything you can do on your site. Because, of course, they are effectively you. Getting a queasy feeling yet?<\/p>\n
More bad news: If you use Jetpack to use its wonderful tools on your self-hosted site, several of those wonders use XML-RPC too.<\/p>\n
XML-RPC support has been part of WordPress from the first day. If you want to be fussy about it, it\u2019s part of the pre-history of WordPress; being part of the b2 platform that Matt Mullenweg forked to create WordPress.<\/p>\n
WordPress 2.6 was released on July 15, 2008. Enable XML-RPC was added to the WordPress Remote Publishing settings, with the default setting set to “Off.”<\/p>\n
A week later, the WordPress for iPhone app was released, and its users were asked to flip the setting to “On.”<\/p>\n
Four years after the iPhone app joined the family, WordPress 3.5 made XML-RPC support enabled by default\u00a0and took away the dashboard setting.<\/p>\n
And so it has stayed.<\/p>\n
The main weaknesses associated with XML-RPC are:<\/p>\n
So here we go again. The modern world is deeply annoying with its trade-offs.<\/p>\n
If you want to make sure no one is bringing a bomb on your airplane, you have to stand in line to go through the metal detectors. If you want to keep your car while you\u2019re shopping, lock the doors and close the windows. You can\u2019t use p@ssw0rd to lock your website, either. Especially if you like using Jetpack or the mobile apps.<\/p>\n\n
Understand that the security issue isn\u2019t really XML-RPC itself, the problem is that attackers can use this as another way to brute-force its way through to your username and password. So the best way to protect yourself is (still) to use long, complicated passwords (or use a password manager that can create them for you). But that isn\u2019t always easy to do, particularly if you engage with WordPress through several different computers.<\/p>\n
The next best thing you can do to protect yourself today is to turn off XML-RPC in your Settings altogether. Some additions to your .htaccess file can lock down access to the xmlrpc.php file. Here\u2019s how to do that.<\/p>\n
Note: Check with your web host for their policy on users creating and editing .htaccess before making changes.<\/em><\/p>\n\n