Avoid XML-RPC Attacks
Learn how to avoid XML-RPC attacks.
This section provides information on how to avoid XML-RPC attacks.
The /xmlrpc.php script is a potential security risk for WordPress sites. It can be used by bad actors to brute force administrative usernames and passwords. You can surface this by reviewing your Live environment's nginx-access.log. The example below is from a site that uses GoAccess.
2 - Top requests (URLs) Total: 366/254431
Hits Vis. % Bandwidth Avg. T.S. Cum. T.S. Max. T.S. Data
---- ---- ----- ----------- --------- --------- --------- ----
2026 48 0.77% 34.15 KiB 1.27 s 42.74 mn 38.01 s /xmlrpc.php
566 225 0.21% 12.81 MiB 4.08 s 38.45 mn 59.61 s /
262 79 0.10% 993.71 KiB 2.32 s 10.14 mn 59.03 s /wp-login.phpPantheon recommends that you disable XML-RPC. The WordPress Rest API is a stronger and more secure method for interacting with WordPress via external services.
Pantheon blocked requests to xmlrpc.php by default in the WordPress 5.4.2 core release. You can block xmlrpc.php attacks by applying upstream updates if your version of WordPress is older than 5.4.2.
Enable XML-RPC via Pantheon.yml
XML-RPC is not recommended on the Pantheon platform. Pantheon does not support XML-RPC if it is enabled.
You can re-enable access to XML-RPC for tools and plugins that require it, such as Jetpack or the WordPress mobile app.
Modify your site's
pantheon.ymlfile to allow access to thexmlrpc.phppath:pantheon.ymlprotected_web_paths_override: true protected_web_paths: - /private - /wp-content/uploads/privateThis will maintain the normal security settings for other paths, but allows access for XMLRPC. Follow the remaining steps below to block all requests to the
xmlrpc.phpfile EXCEPT those added to your IP address allowlist.Add Jetpack IP addresses to the is_from_trusted_ip function of your
wp-config.phpfile.Add
/xmlrpc.phpto yourdisallow_uriarray, for example:$disallow_uri = array( '/xmlrpc.php', );The reference code demonstrates IP based restrictions in context of locking down admin paths (like
/wp-admin/and/wp-login.php). While locking down admin paths is a best practice, it may not fit all site use cases and it is not required in order to solve this specific Jetpack issue. If you opt to keep admin paths in the$disallow_uriarray you will need to add IP addresses for yourself and every site administrator to the$trusted_ipsarray in addition to the Jetpack IPs added in the previous step.
Disable XML-RPC via a Custom Plugin
This method allows you to use a custom plugin to toggle between activated and deactivated states without deploying code. This plugin blocks exploitable XMLRPC methods previously available via POST requests.
Set the connection mode to SFTP for the Dev or target Multidev environment via the Pantheon Dashboard or with Terminus:
terminus connection:set <site>.<env> sftpUse Terminus and WP-CLI's
scaffold plugincommand to create a new custom plugin.In the following example, replace
my-sitewith your Pantheon site name, anddisable-xmlrpcwith your preferred name for this new plugin:terminus wp my-site.dev -- scaffold plugin disable-xmlrpcAdd the following lines to the main PHP plugin file:
wp-content/plugins/disable-xmlrpc/disable-xmlrpc.php# Disable /xmlrpc.php add_filter('xmlrpc_methods', function () { return []; }, PHP_INT_MAX);If your site uses a nested web root directory, you must include that directory in the path. For example, if your nested web root is
/wp, use/wp/xmlrpc.phpinstead of/xmlrpc.php.Activate the new plugin from within the WordPress admin dashboard, or via Terminus and WP-CLI:
terminus wp my-site.dev -- plugin activate disable-xmlrpcCommit and deploy your code changes.
Activate the plugin on your Test and Live environments.