Disable XML-RPC except for WordPress.com

  • Resolved agima

    (@agima)


    2 years, 11 months ago

    Hi,
    I have read in many places that XML-RPC is a potential vulnerability and that it is better to disable it.
    But this protocol is obviously used by WordPress.com and Jetpack.

    Is it possible to block access for everyone except wordpress.com domain in .htaccess file like this? 

    # Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from 192.0.78.17
</Files>

    The IP comes from a ping wordpress.com but maybe it’s another IP that should be used.

    Thanks for your help

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support Bruce (a11n)

    (@bruceallen)

    Happiness Engineer

    Hi @agima

    Some hosts and plugins believe that blocking access to /xmlrpc.php will stop various hacking attempts. However, XML-RPC support has been built into WordPress core since version 3.5 and is a stable tool. Jetpack, much like other plugins, services, and apps (like our mobile apps), relies on the XML-RPC API to communicate with WordPress.com.

    You can see the IP address ranges that would need to be allowlisted here:

    https://jetpack.com/support/how-to-add-jetpack-ips-allowlist/

    Thread Starter agima

    (@agima)

    I don’t question the support of XML-RPC, I just try to secure my site as much as possible from bad people.
    And I also limit the number of installed plugins.

    I will add all the ip in my .htaccess file, and I will check regularly if there are any changes

    Thank you for your quick response.

    Have a great day

    Plugin Support Animesh Gaurav (a11n)

    (@bizanimesh)

    Hi there,

    Sure, let us know if you have any further questions or come across any other issues.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Disable XML-RPC except for WordPress.com’ is closed to new replies.

Tags