Title: Is WordPress’s XML-RPC functionality a security vulnerability? Last modified: August 21, 2016 --- # Is WordPress’s XML-RPC functionality a security vulnerability? * Resolved [bourkedesign](https://wordpress.org/support/users/bourkedesign/) * (@bourkedesign) * [11 years, 10 months ago](https://wordpress.org/support/topic/is-wordpresss-xml-rpc-functionality-a-security-vulnerability/) * My client just received an email from her host. They said WordPress’s XML-RPC functionality is becoming an increasingly popular exploit, and it’s best to disable it. * Do you agree? If so, is the best way to do this with a plugin, such as [https://wordpress.org/plugins/disable-xml-rpc-fully/](https://wordpress.org/plugins/disable-xml-rpc-fully/) Viewing 8 replies - 1 through 8 (of 8 total) * Moderator [James Huff](https://wordpress.org/support/users/macmanx/) * (@macmanx) * [11 years, 10 months ago](https://wordpress.org/support/topic/is-wordpresss-xml-rpc-functionality-a-security-vulnerability/#post-5121849) * I don’t agree, to be honest. It still requires a username and password to post, so if you think that’s insecure, you might as well just stop using anything that only requires a username and password. 🙂 * And, that also says a lot about the host you’re using. Maybe it’s time to move? 😉 * If you’re concerned about security, here are a bunch of recommended things: [http://codex.wordpress.org/Hardening_WordPress](http://codex.wordpress.org/Hardening_WordPress) * [tigertech](https://wordpress.org/support/users/tigertech/) * (@tigertech) * [11 years, 10 months ago](https://wordpress.org/support/topic/is-wordpresss-xml-rpc-functionality-a-security-vulnerability/#post-5121852) * > It still requires a username and password to post * Well, note that the problems with it go beyond the danger of allowing a stranger who knows your password to post to your blog. * In addition to XML-RPC being used to try to [link moderated – keep support on this site] guess passwords (this is new since many hosting companies now rate- limit wp-login.php), it can also be used to [make your site attack other sites](http://blog.sucuri.net/2014/03/more-than-162000-wordpress-sites-used-for-distributed-denial-of-service-attack.html). It’s likely that the hosting company was referring to these unexpected dangers. * XML-RPC is still enabled on our blog because we have other measures in place, but if I didn’t, I think I’d disable it. Removing **any** software you don’t use from your site improves security as it minimizes what’s exposed to hackers. But that’s a general rule, not specific to XML-RPC; the same thing applies to removing plugins and old theme files you don’t use, for example. * Moderator [James Huff](https://wordpress.org/support/users/macmanx/) * (@macmanx) * [11 years, 10 months ago](https://wordpress.org/support/topic/is-wordpresss-xml-rpc-functionality-a-security-vulnerability/#post-5121855) * Yes, XML-RPC can be used to brute-force guess passwords, but so can wp-login. php. 🙂 * If the hosts are really concerned about it, they can rate-limit XML-RPC too. For example, the likelihood of anyone but a brute-force bot sending 30 calls to XML-RPC in 15 minutes is very slim. * The discussion of returning XML-RPC controls has been hashed out by the core developers thousands of times, I’d rather not repeat the whole act here, but you can find the various discussions via Google. Basically, the decision was reached that confusion caused by XML-RPC being disabled was more prevalent than security concerns, as XML-RPC is really no more vulnerable than wp-login.php. * Just follow the recommended security procedures, and you’ll have nothing to worry about: [http://codex.wordpress.org/Hardening_WordPress](http://codex.wordpress.org/Hardening_WordPress) * [tigertech](https://wordpress.org/support/users/tigertech/) * (@tigertech) * [11 years, 10 months ago](https://wordpress.org/support/topic/is-wordpresss-xml-rpc-functionality-a-security-vulnerability/#post-5121856) * > If the hosts are really concerned about it, they can rate-limit XML-RPC too * That’s definitely true. The unfortunate thing is that it’s much harder to add rate-limiting rules for XML-RPC, so fewer will. * It’s easy to rate-limit HTTP POSTs to wp-login.php because every single one of them represents a single attempt to login (and nothing else). And it’s easy to tell whether the request sent the right password or not based on the HTTP result code. So you can trivially generate a list of all IP addresses that are sending bad logins just by searching through your Web server’s access.log. * But a POST to xmlrpc.php can contain many different kinds of actions, some of which are expected to be repeated and must not be rate-limited. * So you have to examine the XML content of the request to find ones that are password guessing attempts — and if you want to know whether it was valid or not, you have to examine the contents of the result body, too, because the HTTP result code is always “200”, whether a bad password is sent or not. * Many hosting companies probably don’t have the tools to intercept and parse HTTP request and result bodies to do this properly, so I would expect that on average, xmlrpc.php is going to be more vulnerable than wp-login.php, unfortunately. 🙁 * > Just follow the recommended security procedures, and you’ll have nothing to > worry about * Agreed. * Moderator [James Huff](https://wordpress.org/support/users/macmanx/) * (@macmanx) * [11 years, 10 months ago](https://wordpress.org/support/topic/is-wordpresss-xml-rpc-functionality-a-security-vulnerability/#post-5121857) * I suspect that if it becomes enough of a problem, someone will write a plugin along the lines of [http://wordpress.org/plugins/limit-login-attempts/](http://wordpress.org/plugins/limit-login-attempts/) which is what most of the hosting providers use to rate-limit wp-login.php. Despite its age, it still works great. 🙂 * Moderator [James Huff](https://wordpress.org/support/users/macmanx/) * (@macmanx) * [11 years, 10 months ago](https://wordpress.org/support/topic/is-wordpresss-xml-rpc-functionality-a-security-vulnerability/#post-5121858) * And on that note, it looks like there already is one: [http://wordpress.org/plugins/login-security-solution/](http://wordpress.org/plugins/login-security-solution/) * Thread Starter [bourkedesign](https://wordpress.org/support/users/bourkedesign/) * (@bourkedesign) * [11 years, 10 months ago](https://wordpress.org/support/topic/is-wordpresss-xml-rpc-functionality-a-security-vulnerability/#post-5122100) * Thanks so much James and tigertech! I appreciate your insights here. * Moderator [James Huff](https://wordpress.org/support/users/macmanx/) * (@macmanx) * [11 years, 10 months ago](https://wordpress.org/support/topic/is-wordpresss-xml-rpc-functionality-a-security-vulnerability/#post-5122109) * You’re welcome! Viewing 8 replies - 1 through 8 (of 8 total) The topic ‘Is WordPress’s XML-RPC functionality a security vulnerability?’ is closed to new replies. ## Tags * [exploit](https://wordpress.org/support/topic-tag/exploit/) * [XML-RPC](https://wordpress.org/support/topic-tag/xml-rpc/) * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 8 replies * 3 participants * Last reply from: [James Huff](https://wordpress.org/support/users/macmanx/) * Last activity: [11 years, 10 months ago](https://wordpress.org/support/topic/is-wordpresss-xml-rpc-functionality-a-security-vulnerability/#post-5122109) * Status: resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics