Your Wordpress site is vulnerable due to Xmlrpc.php

Your Wordpress site is vulnerable due to Xmlrpc.php

Google the keyword ‘xmlrpc.php’, there will be a full page of search result that saying Why You Should Disable Xmlrpc.php. It almost seems like having this file in a hosted Wordpress site is generally a bad idea.

What can xmlrpc.php do?

Basically, it allows all the operation that is supported in XML-RPC WordPress API to be executed provided the request have valid account credential, the username and password. To name a few, it can:


  • Insert new post

  • Delete post

  • Edit post

  • Add comment

  • Get any information related to the site.

So you get the idea, almost everything that one can do with a Wordpress GUI as a site owner.

These behaviour make xmlrpc.php worse

Type in the URL column in such format https://yourwordpresssite.wordpress.com/xmlrpc.php and hit Return. Likely the returned result will be XML-RPC server accepts POST requests only. That means the xmlrpc.php file is on and ready to be called anywhere anytime while the site is staying alive. Plus this file mostly comes installed while setting up a new Wordpress site. Hackers are just 1 step away from controlling the whole site – getting the correct login credential. And the best part is(for hackers), they can just make a script to infinitely brute-force the username and password with no limitation of trying.

Delete the file to be safe? Don’t need to be.

While deleting the xmlrpc.php away or disable it through htaccess.php file are what most people would suggest doing in order to cover this Wordpress vulnerability, it is only true that if the site owner does not wish to make use of the powerful Wordpress API like making a bot to automated posting process.

The best trick to maintain the usability of xmlrpc.php while not risking of compromising the whole is simple, rename the xmlrpc.php to another name. Any random name will do. For the best result, make it as complicated and long as your Crypto private key.

Guessing the correct name of original xmlrpc.php would take a long while for any malicious attempt and no one is really sure if xmlrpc.php is even enabled on the targeted site. Of course, for the average user who never make use of such advance feature of WordPress the best to do is probably just disable it.


Posted from my blog with SteemPress : https://fr3eze.vornix.blog/your-wordpress-site-is-vulnerable-due-to-xmlrpc-php/


This page is synchronized from the post: ‘Your Wordpress site is vulnerable due to Xmlrpc.php’

Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now

×