The XML-RPC trap. And how to get rid of it.

SEO - WordPress - Coding Screen

The RockmusicRaider crew sometimes likes to write about stuff not directly related to music, metal, or otherwise. But instead, we touch on things that have peripheral importance to running the blog.

Subject matters such as blogging, site security, SEO (Search Engine Optimization) and their very real implications come to mind. Those are intricately linked to managing your site, and – of course – security considerations.

Today we will touch upon the XML-RPC issue.

Or the past issue, if we want to be entirely correct. As of WordPress 4.7, the matter should be closed, and all integrated into the RESTful API. Should be. Because in truth, backward compatibility will remain an issue for developers for a while. And XML-RPC with it. 

Penitent RockmusicRaider admits to being asleep at the wheel.

The complications of the XML-RPC feature were indeed known. But given the positive news by ‘specialists’ and a firewall umbrella, the risks seemed bearable.

How far from the truth!

Somebody exploited the XML-RPC loophole to their advantage and used my blog’s server resources to do so. To the point that the server got saturated answering the attacker’s requests.

We also found SEO rankings on Google and the mobile index foundering for the blog for quite a while. This is bad for a few reasons: First, the ranking, in general, is important for you to hit the first page (or near to it) for your pages and posts to be found. Second, as Google just changed focus on mobile traffic, away from the traditional desktop, losing traffic for the mobile segment is particularly bad.

And – still having full confidence in the firewall – nothing we did seemed to remedy the situation. Until we found the culprit, of course.

What is XML-PRC and how to solve this mess?

XML-RPC served to perform all sorts of actions for your blog for remote calls. In other words, if you used your phone to update your blog, then you used this feature. Also, plugins like Automattic’s JetPack used XML-RPC to perform its many services to the WordPress community. 

The solution!

Simply fire up the .htaccess file in your root and add the following code:

<Files xmlrpc.php>
Order Allow,Deny
Deny from all

Or – if you must – you can also allow an IP to access, like so:

<Files xmlrpc.php>
Order Allow,Deny
Deny from all
Allow from [xxx].[xxx].[xxx].[xxx]

But have a care, .htaccess is a core file of WordPress, so you can easily break your site. Therefore, always make a backup before you tamper with this file.

If you do not know how to access your .htaccess file, then the Yoast SEO plugin offers a neat feature to update this file easily.

Other possibilities exist, like adding code to your .php files. But this opens up a score of different additional issues best left to developers.  

If you don’t want to mess around with all this, there are still plugins out there like Disable XML-RPC. Those will help, albeit a plugin not updated for some 2 years does not really raise my confidence.


Somebody said that blocking XML-RPC is a trade-off. And indeed, it is. Albeit less so, since the new API has been integrated. You do risk that some plugins or applications may refuse service, but the dangers are at relatively low levels.

We simply decided to block the feature.

And you know what? Traffic is coming back online as it should, and no plugin gave up the ghost.

And truly, if developers are serious about their wares, they already integrated the new features. Those who still rely on XML-RPC need to go out the door.

What were your experiences with that feature? Please share down below.

Raid a comment or twenty!