Jetpack requires XML-RPC to function.
Unfortunately, blocking XML-RPC is not a great solution for fighting security risks. It’s akin to selling your car because you don’t want it to be stolen.
Your site’s XML-RPC file is kind of like a communication gateway to your site. Jetpack, the WordPress Mobile Apps, and other plugins and services will use this file to communicate to your site. If this is blocked, you will have other issues pop-up down the road for the same reasons.
If properly connected, Jetpack’s Protect feature will guard against bulk attacks on both wp-login.php and xmlrpc.php: https://jetpack.com/support/security-features/#protect
The problem we get is if we enable that file, over time we get 500 errors and our hosts say we have to disable it.
Does protect do a good job?
Is CDN better than loading from your own server then?
The problem we get is if we enable that file, over time we get 500 errors and our hosts say we have to disable it.
Do you have any more specific details on that? The most popular hosting providers out there have managed to find other ways to protect their servers without having to hinder your site and your ability to use services with your WordPress.
If they still refuse to allow that, we have some recommended hosting providers at https://ww.wp.xz.cn/hosting/ and Jetpack has some recommendations at https://jetpack.com/hosting/
Does protect do a good job?
If a particular IP address provides wrong access credentials for a set number of times, it is blocked for a period. The length of the block increases exponentially for each further attempt to use wrong access credentials (the specifics are not publicly available for security reasons).
Is CDN better than loading from your own server then?
Always. Your site is hosted in 1 server at 1 location, the distance to the server means increased latency and slower speed. When you’re working with a CDN, you’re not only working with a server optimized specifically for the content it’s serving, but also your content cloned across multiple servers across the world. That means less latency and higher speeds, as more people are now closer to a server.
In Jetpack’s case, the CDN is optimized specifically for images and static files, and cloned in servers at 7 data centers across the entire world.
No they just told me that blocking it, prevents DDOS and spikes. Even on our server which I don’t believe to have very heavy traffic, we still get 500 errors.
I don’t know if there is a way to find out why. Apart from asking the host again.
We are using CDN from Jetpack on our main website. We have Protect turned on. the other thing Jetpack is good for is the galleries and Publicize, of which there is no other easy option for sending out to social media.
But this thread is particular about CDN and that xml file.
Internal Server Errors (error 500) are generally unrelated to security concerns and point to a misconfiguration elsewhere.
Additionally, attacks against xmlrpc.php and DDOS attacks are not generally the same thing. A DDOS attack is just brute-force traffic directed to your site, like several thousand bot visits a second. They don’t need xmlrpc.php to do that.
All of Jetpack’s functionality requires xmlrpc.php, including the CDN. xmlrpc.php is how Jetpack communicates with your site.
I would suggest contacting your hosting provider and asking them to unblock your site’s XML-RPC. As already mentioned, the most popular hosting providers out there have managed to find other ways to protect their servers without having to hinder your site and your ability to use services with your WordPress.
If they refuse to make any changes, and if you want to use apps and plugins like Jetpack, I’d suggest looking for a new host. We have some recommended hosting providers at https://ww.wp.xz.cn/hosting/ and Jetpack has some recommendations at https://jetpack.com/hosting/ (none of those hosts block XML-RPC).
