Last update at :2024-06-17,Edit by888u
xmlrpc.php exists within the WordPress website program and does this by standardizing these communications using HTTP as the transport mechanism and XML as the encoding mechanism. However, the xmlrpc.php file introduces security vulnerabilities and can be targeted.
Recently, the website has received a large number of POST requests to xmlrpc.php, which has caused the CPU to be overloaded and the memory to be occupied more than usual. It feels like it has been scanned and attacked. So this involves WordPress security and must be taken seriously.
XML-RPC is a specification that supports communication between WordPress and other systems. XML-RPC isn't just for mobile apps: it's also used to allow communication between WordPress and other blogging platforms, and also supports trackbacks and pingbacks. But since the REST API has been integrated into WordPress core, the xmlrpc.php file is no longer used for this communication.
If XML-RPC is enabled on your site, a hacker may use xmlrpc.php to send a large number of pingbacks to your site in a short period of time, thereby launching a DDoS attack on your site. This can overload the server and prevent the site from functioning properly. And every time xmlrpc.php makes a request, it sends a username and password for authentication, so a hacker can use this to try to compromise your site.
On this basis, WPEXP also discovered the attack //xmlrpc.php address to exhaust the server resources of the WordPress site, so the last method is more recommended.
Disable xmlrpc.php method
Therefore, you should now disable xmlrpc.php on your site, but many people don’t know how to deactivate the xmlrpc.php file. Although deleting it is the easiest way, it will be regenerated due to frequent WordPress upgrades. This file, so on this basis, WPEXP shares with you five methods of disabling xmlrpc.php for your choice.
1. Use plug-in to disable xmlrpc.php
- Plug-in name:Disable XML-RPC (By Philip Erb)
- Plug-in address https://wordpress.org/plugins/disable-xml-rpc/
2. Function disabling xmlrpc.php
Add the following line of code to the functions.php file of the current theme to close xmlrpc.php
//Disable xmlrpc.php through the functions.php function file
add_filter('xmlrpc_enabled', '__return_false');3. Disable configuration
Edit the wp-config.php file in the WordPress root directory and add at the beginning:
if(strpos($_SERVER['REQUEST_URI'], 'xmlrpc.php') !== false){
$protocol = $_SERVER['SERVER_PROTOCOL'] ?? '';
if(!in_array($protocol, ['HTTP/1.1', 'HTTP/2', 'HTTP/2.0', 'HTTP/3'], true)){
$protocol = 'HTTP/1.0';
}
header("$protocol 403 Forbidden", true, 403);
die;
}4. Nginx/Apache disables xmlrpc.php
Nginx Rules
location ~* ^/xmlrpc.php$ {
return 403;
}Apache Rules
Add the following code before the .htaccess file.
Order Allow, Deny
Deny from all
5. Cloud Firewall CDN prohibits access
The prerequisite for this is to protect your server IP from being discovered. On this basis, you can write in the cloud firewall or CDN to prevent access to xmlrpc.php, which is better than all the above configurations. Further reducing server performance consumption, because it is intercepted before requesting your server.
Here we take the CloudFlare WAF firewall as an example. In addition to adding /xmlrpc.php, add another //xmlrpc.php just in case. I'm afraid that everyone won't understand, so here we use URI to be complete. Friends can consider using URI inclusion rules and fill in a /xmlrpc.php.
Secondly, if you have an Nginx firewall using Pagoda, you can also use the firewall to block xmlrpc.php access. But after all, this will still involve the occupation of server resources. If the IP can be prevented from being leaked, it is best to use a cloud firewall or CDN to block it!
Recommended site search: Hong Kong high defense server, latest free proxy IP, Hong Kong server rental, Hong Kong space, cheap virtual host, high defense IP rental, US host rental, Wanwang registered domain name query, php host space, host server rental ,
发表评论