M3Server Technical Blog FAQ xmlrpc attacks

xmlrpc attacks



Most clients and sites do not use xmlrpc function of WordPress so we block access to this file by our default apache configuration.

An optional plugin that is known to require xmlrpc is the jetpack plugin.

If you need it enabled, just add this code to the top of your .htaccess file for the site in question:

IMPORTANT READING: What is htaccess and why you should back up your file first!




Order Allow,Deny
allow from all

By enabling only the sites that need it, you protect your server from the overwhelming resource usage of the attack.

To disable xmlrpc.php on specific sites, we recommend using htaccess to deny access. This prevents any php/mysql system from answering the request, providing the strongest protection:




Order Allow,Deny
deny from all


Alternatively, you can add this code to your wp_config.php after the line require_once(ABSPATH . ‘wp-settings.php’); if you want to disable XML-RPC for your site. You can add this code to your wp_config.php after the line require_once(ABSPATH . ‘wp-settings.php’); if you want to disable XML-RPC for your site.


add_filter('xmlrpc_enabled', '__return_false');

References:
wordpress.org

Leave a Reply