New to the community? Start here

[Defender Pro] Defender says XML-RPC is disabled but WP Checkup says it's enabled

I've used Defender Pro to disable XML-RPC and it's listed under the Security Tweaks as being "Resolved", however, when I run your WP Checkup tool it lists XML-RPC as being enabled. I actually had this problem with another website of mine running Defender Pro where the site actually was attacked using XML-RPC even though I thought it was disabled. I contacted my host provider (Cloudways) and they confirmed that it wasn't disabled and was being exploited. I had to add a custom code to my functions.php file in that case to actually disable it.

Could you guys please look into this and help to identify why this is happening?

Fri, 7 Jun 2019 12:40:07

AtmoVantage
- Stormageddon, Site Liberator
- 204 pts: Hero points 116 pts: Rep. points LEVEL 4
Here are the relevant screenshots. Support has been enabled for the site.

[image pos="0"]

[attachments are only viewable by logged-in members]
Nebu John
- FLS
- 1,268 pts: Hero points 5,471 pts: Rep. points LEVEL 23
Hi AtmoVantage,

I hope you’re well today and thank you for reaching out to us!

There are usually two ways to disable the XML-RPC:

1: Block entire xmlrpc.php file with .htaccess, so anyone can’t access it.

2: Block the XML-RPC methods which requiring authentication by WordPress way using these methods:
```
add_filter( 'xmlrpc_enabled', '__return_false' );

add_filter( 'xmlrpc_methods', 'block_xmlrpc_attacks' );
```
You could find more details here:

https://developer.wordpress.org/reference/hooks/xmlrpc_enabled/

https://developer.wordpress.org/reference/hooks/xmlrpc_methods/

Defender Pro uses the second method, we have blocked all the XML-RPC methods like:

wp.getUsersBlogs

wp.newPost

wp.editPost

wp.deletePost

…

We only accept two methods for pingback:

pingback.ping

pingback.extensions.getPingbacks

Here are the more details about Pingback: https://www.wpbeginner.com/glossary/pingback/

So this is secure enough, but if you think to disable the whole XML-RPC, you can add the following code in the very bottom of the .htaccess file:
```
# Block WordPress xmlrpc.php requests

<Files xmlrpc.php>

deny from all

</Files>
```
Let me know if you have any question regarding this issue!

Kind Regards,

Nebu John
AtmoVantage
- Stormageddon, Site Liberator
- 204 pts: Hero points 116 pts: Rep. points LEVEL 4
Hi Nebu,

That makes sense, however is there a way for WP Checkup to detect which of the two methods has been used so we have some consistency? It’s a little misleading for Defender Pro to say it’s disabled XML-RPC while your own tool WP Checkup says otherwise.

Best Regards,

Austin
Nebu John
- FLS
- 1,268 pts: Hero points 5,471 pts: Rep. points LEVEL 23
Hello AtmoVantage,

Hope you are doing good today.

I understand your concern. Also, have contacted developers regarding this and they will be looking into it further.

Feel free to get back to us if you have any doubts or need any help further. :slight_smile:

Kind Regards,

Nebu John
- Namirial
  - IT Company
  - 3 pts: Hero points 498 pts: Rep. points LEVEL 5
  Hello Nebu John,
  are there any updates regarding this problem?
  I’m having the same problem, XML-RPC is disabled on Defender Pro (see attached), but it is still active.
  
  To disable it I had to add this instruction in the htaccess (but there are other ways):
  
  <Files xmlrpc.php> Order Allow,Deny Deny from all </Files>
  
  After this the XML-RPC is finally disabled, but it seems that something about Defender Pro does not work or am I wrong?
  
  Awaiting your reply, thank you!
  - Mhamdi Youssef
    
    Support Agent
    
    609 pts: Hero points 1,000 pts: Rep. points LEVEL 8
    Hello Namirial !
    
    Hope you are doing well!
    
    We are so sorry about the delay, as per our developer feedback using Disable XML-RPC recommendation means disabling ‘xmlrpc_enabled’ WP hook and Pingback methods, and not necessarily to disable the file itself (https://at******ge.com/xmlrpc.php) it is more explained in first reply from my friend John, therefore you get that message from Defender as it is disabled.
    
    Furthermore, with your .htaccess rules, you have only denied access to that file, and the confusing part is that in our hosting doesn’t use .htaccess files, which means that the .htaccess shouldn’t be working in your site hosting with us.
    
    In the other hand, you can easily go to your site in HUB > Hosting > Tools – Enable WAF since I just checked and it looks Disabled on your site hosted with us (https://at******ge.com/) and on the WAF Popup/model, scroll down to URLs Blocklist and add /xmlrpc.php there, this should work exact same as your .htaccess rules.
    Screenshot:
    [attachments are only viewable by logged-in members]
    
    I hope this helps!
    
    Let us know if you need any further help!
    
    Kind regards,
    Youssef
Namirial
- IT Company
- 3 pts: Hero points 498 pts: Rep. points LEVEL 5
Hello Mhamdi Youssef ,
I think there is a bit of confusion.. I have similar problem like the user that have started the thread, but I don’t have the website hosted on WPMUDEV Hosting and I can’t activate de WAF, on the contrary, my server uses .htaccess and by writing the rule there, XML-RPC is finally disabled.

Without this rule on .htaccess, if using only Defender Pro with the feature “Disable XML-RPC” enabled and active (see the previous screenshot with the green border section), the XML-RPC it is not deactivated.

I think this is a problem of Defender Pro plugin, can you verify this please?

Thank you
Nithin Ramdas
- Support Wizard
- 4,113 pts: Hero points 32,579 pts: Rep. points LEVEL 30
Hi Namirial ,

if using only Defender Pro with the feature “Disable XML-RPC” enabled and active (see the previous screenshot with the green border section), the XML-RPC it is not deactivated.

I think this is a problem of Defender Pro plugin, can you verify this please?

What Defender Pro does is it blocks XML RPC authentication in the WP core level using the following hooks:
https://developer.wordpress.org/reference/hooks/xmlrpc_enabled/
https://developer.wordpress.org/reference/hooks/xmlrpc_methods/

So the xmlrpc.php file itself would remain accessible, but because Defender is blocking authentication, the Defender wouldn’t allow any requests to get accepted.

The WP Checkup on the other hand only checks whether the xmlrpc.php file is accessible or not and hence it gives an impression as XML RPC is enabled.

This isn’t an issue within Defender Pro but more with how WP Checkup scan as it only considers /xmlrc.php path as a factor. We are working to improving WP Checkup and will be updating it down the road, hopefully, this use case would also be addressed in future.

There aren’t any additional security benefits by blocking the path to xmlrpc.php as Defender is already disabling authentication at the core level. However, using the .htaccess rules as you have mentioned should be enough if you are keen on blocking the path for /xmlrpc.php.

Kind Regards,
Nithin
Namirial
- IT Company
- 3 pts: Hero points 498 pts: Rep. points LEVEL 5
Hi Nithin ,
thank you very much for your clarification and now I have understand better the functionality.
Hope you can resolve also the WP Checkup scan report in the future.

BR

How do you rate me?

Thank you for rating your experience!