Disable XML-RPC authentication

Hi @anafasia, thanks for getting in touch!

The setting to disable XML-RPC authentication by checking the “Disable XML-RPC authentication” box in Wordfence > Login Security > Settings will prevent authentication attempts through that file. However, manual attempts to access the XML-RPC file itself are commonly tried by attackers. I expect that is (one of) the main functions of the plugin you mention. If you chose to disable that plugin, you may need to also add the following code to your .htaccess file if you are certain no plugins you use (such as Jetpack) require access:

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

If you are uncomfortable making changes like this, I do not see an issue in using the Stop XML-RPC Attack plugin with Wordfence if there are no conflicts. Sometimes there can be overlapping features, so keep Disable XML-RPC authentication unchecked if the plugin takes care of this for you.

Thanks,

Peter.

thanks a lot for your explanation, Peter.

in fact I added Stop XML-RPC Attack in January and wordfence in the end of February. in January the web started to be overloaded, but there was also an infection. so I wanted to desactivate Stop XML-RPC Attack at least for a day to see if it has any effect on the web, keeping checked the Disable XML-RPC authentication box in Wordfence. no problem in reinstating Stop XML-RPC Attack authentication afterwards.

would it be too risky doing so?

Hi @anafasia,

There is no significant risk in taking this approach for your performance testing, but I would recommend at least 1 method of protecting XML-RPC going forward, whichever of the above methods you choose to keep permanently as this is a common attack route.

Thanks,

Peter.

ok, thanks, I will check Disable XML-RPC authentication and disable Stop XML-RPC Attack for the test, and afterwards, I will uncheck Disable XML-RPC authentication and reactivate Stop XML-RPC Attack.

I see also there is this option:
Delay IP and Country blocking until after WordPress and plugins have loaded (only process firewall rules early)
considering I have a delay loading the web, is it save testing this option? would I be save if I only process firewall rules early?

Hi @anafasia,

We indeed only recommend the Delay IP… option to be checked for testing purposes so it is safe to do so, but not recommended to keep it enabled permanently. You can by all means see if it has any effect on your site.

If the firewall is optimized, it should be more efficient to leave this unchecked.

Thanks,

Peter.

thanks again. then I will test it also briefly and afterwards I wlll uncheck it.

sorry for making so many questions but it seems I have an issue also with scans. everytime I try to make one I have an error:

Scan failed: There was an error starting the scan: SSL connection timeout

Scan Failed
The current scan looks like it has failed. Its last status update was more than 3 hours ago. You may continue to wait in case it resumes or stop and restart the scan. Some sites may need adjustments to run scans reliably. Click here for steps you can try.

I have a big amount of files -images mainly- stored in my host, around 150GB right now.

• This reply was modified 4 years ago by anafasia.

Hi @anafasia, thanks for your response.

150GB is a rather large amount of images and you could try excluding the path(s), or just certain file types in those paths, to ensure the scan doesn’t time out. In Wordfence > All Options > Advanced Scan Options > Exclude files from scan that match these wildcard patterns (one per line)

You can add something like the following to exclude an entire path:

wp-content/uploads/images/*

You can read more about this here: https://www.wordfence.com/help/scan/options/?utm_source=plugin&utm_medium=pluginUI&utm_campaign=docsIcon#exclude-files

Thanks again,

Peter.

thanks, I will run a manual scan, probably along the weekend, with this exclusion to test if the problem comes from there. al images are stored in a folder with monthly subfolders. it would be a risk not scanning those folders?

on the other hand, I have temporarily disabled Stop XML-RPC Attack and now the web works better. it could be a coincidence but memory usage has decreased significantly. I only activated Stop XML-RPC Attack because I was hacked in January and from my host told me to protect this gap.
with Disable XML-RPC authentication checked and the code you suggested to add to my .htaccess file, could I rely I will be protected from XML-RPC Attacks?
would it work if I simply add the code to end of my .htaccess file?

`
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

Hi @anafasia,

Yes, the .htaccess change disallows any attempts to access the file itself, and the checkbox in Wordfence prevents attempts to authenticate using the legitimate way the file was designed to be use so this should provide total protection to xmlrpc.

Thanks again,

Peter.

I’ll still be checking for a few days if I get new errors.

I have excluded the images from the scan and after an scheduled scan I still got an error message, but along the weekend I run a manual scan and it was completed without errors.

in scheduled scans it seems I still get the error message:

Scan Failed
The current scan looks like it has failed. Its last status update was more than 3 hours ago. You may continue to wait in case it resumes or stop and restart the scan. Some sites may need adjustments to run scans reliably. Click here for steps you can try.

sorry, this time the error is different:

Scan Failed
The scan has failed to start. This is often because the site either cannot make outbound requests or is blocked from connecting to itself. Click here for steps you can try.

Hi @anafasia, thanks for sending over the further information.

I’ve noticed the max_execution_time value for your server seems very high at 500 – which can be an issue with scans not completing if any other processes on your server are due to time out earlier.

Can you do the following so I can see if this fixes it, or provides us with log information I need to help you?

• Kill the existing scan if it is still running (The “Start New Scan” button turns in to a “Stop” button while the scan is running)
• Go to your Scan > Scan Options and Scheduling page and locate the “Performance Options”
  Set “Maximum execution time for each scan stage” to 20 on the options page
• Click to “Save Changes”
• Go to the Tools > Diagnostics page
• In the “Debugging Options” section check the circle “Enable debugging mode”
• Click to “Save Changes”.
• Start a new scan
• Copy the last 20 lines from the Log (click the “Show Log” link) or so of the activity log once the scan finishes and paste them in the post.

Sometimes however, you may notice that the maximum execution time change on its own fixes the issue immediately.

Thanks again,

Peter.

ok. thanks a lot.

I will make the changes and run a manual scan tonight, as at that time the traffic will be lower.

I run manually the scan yesterday night with debugging mode enabled and it was a success:

`[Mar 18 00:50:21] Scanning posts with 13000 left to scan.
[Mar 18 00:51:29] Scanning posts with 12000 left to scan.
[Mar 18 00:52:04] Scanning posts with 11000 left to scan.
[Mar 18 00:52:28] Scanning posts with 10000 left to scan.
[Mar 18 00:52:39] Scanning posts with 9000 left to scan.
[Mar 18 00:52:59] Scanning posts with 8000 left to scan.
[Mar 18 00:53:07] Scanning posts with 7000 left to scan.
[Mar 18 00:53:29] Scanning posts with 6000 left to scan.
[Mar 18 00:53:36] Scanning posts with 5000 left to scan.
[Mar 18 00:53:43] Scanning posts with 4000 left to scan.
[Mar 18 00:54:02] Scanning posts with 3000 left to scan.
[Mar 18 00:54:08] Scanning posts with 2000 left to scan.
[Mar 18 00:54:15] Scanning posts with 1000 left to scan.
[Mar 18 00:54:36] Examining URLs found in posts we scanned for dangerous websites
[Mar 18 00:54:36] Checking 100000 host keys against Wordfence scanning servers.
[Mar 18 00:54:38] Done host key check.
[Mar 18 00:54:38] Done examining URLs
[Mar 18 00:54:40] Scanning comments with 1000 left to scan.
[Mar 18 00:54:42] Checking 932 host keys against Wordfence scanning servers.
[Mar 18 00:54:42] Done host key check.
[Mar 18 00:54:42] Starting password strength check on 2 users.
[Mar 18 00:54:51] Examining URLs found in the options we scanned for dangerous websites
[Mar 18 00:54:51] Done examining URLs
[Mar 18 00:54:51] ——————-
[Mar 18 00:54:51] Wordfence used 16 MB of memory for scan. Server peak memory usage was: 18 MB
[Mar 18 00:54:51] Scan Complete. Scanned 2562 files, 14 plugins, 4 themes, 20891 posts, 1340 comments and 235092 URLs in 12 minutes 55 seconds.`

then I unchecked the debugging mode and this morning a scheduled scan started and was not able to finish.

`[Mar 18 09:10:00] Scheduled Wordfence scan starting at Thursday 18th of March 2021 09:10:00 AM
[Mar 18 09:10:02] Using low resource scanning
[Mar 18 09:10:02] Contacting Wordfence to initiate scan
[Mar 18 09:10:09] Total disk space: 246.08 GB — Free disk space: 84.29 GB
[Mar 18 09:10:09] The disk has 86308.52 MB available
[Mar 18 09:10:09] Including files that are outside the WordPress installation in the scan.
[Mar 18 09:10:09] Getting plugin list from WordPress
[Mar 18 09:10:09] Found 13 plugins
[Mar 18 09:10:09] Getting theme list from WordPress
[Mar 18 09:10:09] Found 4 themes
[Mar 18 09:10:14] 500 files indexed
[Mar 18 09:10:14] 1000 files indexed
[Mar 18 09:10:15] 1500 files indexed
[Mar 18 09:10:15] 2000 files indexed
[Mar 18 09:10:15] 2500 files indexed
[Mar 18 09:10:15] 2551 files indexed
[Mar 18 09:10:18] Analyzed 100 files containing 5.78 MB of data so far
[Mar 18 09:10:22] Analyzed 200 files containing 6.97 MB of data so far`

it looks like scheduled scans are not succesful. or maybe it is simply because scheduled scans start in mornings when there’s a lot of traffic and I run the manual scans at night when activity is low.