Skip to main content
Last Reviewed: 2022-05-16

Avoid XML-RPC Attacks

Learn how to avoid XML-RPC attacks.

Discuss in Slack
Edit this page on GitHub Report an issue with this doc

This section provides information on how to avoid XML-RPC attacks.

The /xmlrpc.php script is a potential security risk for WordPress sites. It can be used by bad actors to brute force administrative usernames and passwords. You can surface this by reviewing your Live environment's nginx-access.log. The example below is from a site that uses GoAccess.

Pantheon recommends that you disable XML-RPC. The WordPress Rest API is a stronger and more secure method for interacting with WordPress via external services.

Pantheon blocked requests to xmlrpc.php by default in the WordPress 5.4.2 core release. You can block xmlrpc.php attacks by applying upstream updates if your version of WordPress is older than 5.4.2.

Enable XML-RPC via Pantheon.yml

Note

XML-RPC is not recommended on the Pantheon platform. Pantheon does not support XML-RPC if it is enabled.

You can re-enable access to XML-RPC for tools and plugins that require it, such as Jetpack or the WordPress mobile app.

  1. Modify your site's pantheon.yml file to allow access to the xmlrpc.php path:

This will maintain the normal security settings for other paths, but allows access for XMLRPC. Follow the remaining steps below to block all requests to the xmlrpc.php file EXCEPT those added to your IP address allowlist.

  1. Add Jetpack IP addresses to the is_from_trusted_ip function of your wp-config.php file.

  2. Add /xmlrpc.php to your disallow_uri array, for example:

The reference code demonstrates IP based restrictions in context of locking down admin paths (like /wp-admin/ and /wp-login.php). While locking down admin paths is a best practice, it may not fit all site use cases and it is not required in order to solve this specific Jetpack issue. If you opt to keep admin paths in the $disallow_uri array you will need to add IP addresses for yourself and every site administrator to the $trusted_ips array in addition to the Jetpack IPs added in the previous step.

Disable XML-RPC via a Custom Plugin

This method allows you to use a custom plugin to toggle between activated and deactivated states without deploying code. This plugin blocks exploitable XMLRPC methods previously available via POST requests.

  1. Set the connection mode to SFTP for the Dev or target Multidev environment via the Pantheon Dashboard or with Terminus:
  1. Use Terminus and WP-CLI's scaffold plugin command to create a new custom plugin.

In the following example, replace my-site with your Pantheon site name, and disable-xmlrpc with your preferred name for this new plugin:

  1. Add the following lines to the main PHP plugin file:
  1. Activate the new plugin from within the WordPress admin dashboard, or via Terminus and WP-CLI:

  1. Commit and deploy your code changes.

  2. Activate the plugin on your Test and Live environments.

More Resources