One of the most important files in a WordPress installation is xmlrpc.php. This file is used by WordPress to communicate with other WordPress sites (using the Pingback and trackback features), and by 3rd party applications (such as mobile apps) to connect to your WordPress site.

Unfortunately, xmlrpc.php can also be exploited by malicious attackers. In 2014 and 2016, a DDOS attack on WordPress sites used xmlrpc.php to target WordPress sites with high traffic. The attack caused problems for many WordPress site owners, and even took down some sites completely.

To protect your WordPress site from xmlrpc.php exploits, you can disable access to xmlrpc.php. This will prevent any external applications from connecting to your WordPress site, but will not affect the normal functioning of your site.

To disable access to xmlrpc.php, you need to add Files directive to your .htaccess file. This file is located in the root directory of your WordPress site:

<Files xmlrpc.php>
  order deny,allow
  deny from all
</Files>

You can also add Files directive to Apache VirtualHost configuration file which is a recommended way of having such kind of configuration because having .htaccess file(s) in your website has a performance hit of your site:

<VirtualHost *:80>
  ServerName www.example.com
  ServerAdmin webmaster@localhost
  DocumentRoot /var/www/html

  <Files xmlrpc.php>
    order deny,allow
    deny from all
  </Files>
</VirtualHost>

When choosing hosting platform make sure you have ability to disable this feature.

If you choose SEM Focus as your hosting platform, know that all websites already come with access disabled by default, so you do not have to worry about this vulnerability and hackers taking down your site or SEO being impacted because hackers are constantly attacking your website trying to gain access.

Categories: Security