Stopping the XML-RPC Hack
Simple Solutions for a Serious Problem
Adam Soucie
• Highforge
• Web Developer
• Content writer
• Allows WordPress to
post on your behalf
• Allows access to
WordPress clients
• Allows for ping backs
and trackbacks
What...
• Hijacks your website
without your knowledge
• Uses your site for a DDoS
attack
• Potentially gets your
domain labelled a...
• Add a filter to
functions.php
• Prevent access to
XMLRPC.php
using .htaccess
• Use a plugin
How do you stop it?
• Completely disables
XMLRPC.php
• Uses a filter
• One line of code
• Alternative for
Jetpack users is 5
lines
Method 1: Fu...
add_filter('xmlrpc_enabled', '__return_false');
Complete disable XML-RPC…
add_filter( 'xmlrpc_methods', 'remove_xmlrpc_pingback_ping' );!
function remove_xmlrpc_pingback_ping( $methods ) {!
unset(...
• One command
• Blocks access at the
server level for extra
security
• Can also whitelist IPs to
allow limited access
Meth...
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>
To block all access…
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
Allow from 987.654.321
</Files>
…or to Whitelist IPs
• Mimics the
Functions.php method
• Perfect for non-coders
• Disable XML-RPC is the
most common one
Method 3: Use a plugin
Any questions?
More info:
www.adamsoucie.com
www.highforge.com
Illustrations by:
Tina Fiume
Upcoming SlideShare
Loading in …5
×

Stopping the WordPress XML-RPC Hack

1,057 views

Published on

This presentation, originally given at the WordPress Orlando Meetup on April 8th, 2014, is a basic tutorial on how to stop the XML-RPC hack in WordPress using just a few lines of code.

Published in: Internet, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,057
On SlideShare
0
From Embeds
0
Number of Embeds
109
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Stopping the WordPress XML-RPC Hack

  1. 1. Stopping the XML-RPC Hack Simple Solutions for a Serious Problem
  2. 2. Adam Soucie • Highforge • Web Developer • Content writer
  3. 3. • Allows WordPress to post on your behalf • Allows access to WordPress clients • Allows for ping backs and trackbacks What is XML-RPC?
  4. 4. • Hijacks your website without your knowledge • Uses your site for a DDoS attack • Potentially gets your domain labelled as a spammer Why is it dangerous?
  5. 5. • Add a filter to functions.php • Prevent access to XMLRPC.php using .htaccess • Use a plugin How do you stop it?
  6. 6. • Completely disables XMLRPC.php • Uses a filter • One line of code • Alternative for Jetpack users is 5 lines Method 1: Functions.php
  7. 7. add_filter('xmlrpc_enabled', '__return_false'); Complete disable XML-RPC…
  8. 8. add_filter( 'xmlrpc_methods', 'remove_xmlrpc_pingback_ping' );! function remove_xmlrpc_pingback_ping( $methods ) {! unset( $methods['pingback.ping'] );! return $methods;! } ; …or just block Pingbacks
  9. 9. • One command • Blocks access at the server level for extra security • Can also whitelist IPs to allow limited access Method 2: .htaccess
  10. 10. <Files xmlrpc.php> Order Deny,Allow Deny from all </Files> To block all access…
  11. 11. <Files xmlrpc.php> Order Deny,Allow Deny from all Allow from 987.654.321 </Files> …or to Whitelist IPs
  12. 12. • Mimics the Functions.php method • Perfect for non-coders • Disable XML-RPC is the most common one Method 3: Use a plugin
  13. 13. Any questions?
  14. 14. More info: www.adamsoucie.com www.highforge.com Illustrations by: Tina Fiume

×