Vill du inaktivera XML-RPC på din WordPress site?
XML-RPC är en core WordPress API som tillåter användare att ansluta till sin WordPress website med hjälp av tredjeparts appar, tools och tjänster. Tyvärr har hackare tidigare hittat sätt att utnyttja XML-RPC för att få tillgång till WordPress-webbplatser.
I den här artikeln visar vi dig hur du enkelt inaktiverar XML-RPC i WordPress.
Vad är XML-RPC i WordPress?
XML-RPC är en core WordPress API som har aktiverats som standard sedan WordPress 3.5 släpptes 2012. Det allow utvecklare att använda XML- och HTTPS-protokoll för att ansluta till och interagera med din WordPress website.
Kort sagt behöver du XML-RPC aktiverat för att komma åt och publicera din blogg på distans, till exempel när du vill använda en mobil app för att hantera din site eller göra anslutningar till automatiseringstjänster som Uncanny Automator eller Zapier.
Men om du inte använder mobila appar med din website, kan vissa WordPress säkerhetsexperter råda dig att inaktivera XML-RPC. Detta closes en dörr som potentiellt kan utnyttjas för att hacka din website.
Med detta sagt, låt oss ta en titt på hur man enkelt inaktiverar XML-RPC API i WordPress. .htaccess-metoden
är bäst eftersom den är minst resurskrävande, och de andra metoderna är enklare för Beginnare.
Metod 1: Inaktivera WordPress XML-RPC med .htaccess (Avancerat)
Den här metoden är för avancerade användare because it requires you to edit your site’s .htaccess file. Vi rekommenderar att Beginnare använder Metod 2 eller 3.
Det här sättet har flera fördelar, t.ex. möjligheten att ge fjärråtkomst till dig själv och ditt team samtidigt som du begränsar alla andra. Det kommer inte heller att påverka din WordPress-prestanda negativt, eftersom det inaktiverar XML-RPC requests innan de vidarebefordras till WordPress.
Du måste add to följande kod till din .htaccess-fil
. Du kan göra detta genom att ansluta till din webbplats med hjälp av en FTP-klient eller filhanterare. All in One SEO-användare kan också använda pluginets inbyggda editor-verktyg för att add till code snippet, som du kan se i screenshot nedan.
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from 123.123.123.123
</Files>
Om du vill ge en viss användare fjärråtkomst till din site ersätter du helt enkelt ”123.123.123.123” på rad 5 med användarens IP-adress. Du kan add to flera IP-adresser genom att separera dem med mellanslag.
Eller, om du vill inaktivera XML-RPC helt och hållet, så kan du helt och hållet ta bort rad 5.
Note: Om du inte kan lokalisera .htaccess, se vår guide om varför du inte kan hitta .htaccess i WordPress.
Metod 2: Inaktivera WordPress XML-RPC med ett code snippet (rekommenderas)
Denna metod är obligatorisk för att du ska kunna add to lite kod till din website i WordPress. Om du inte har gjort detta tidigare kan du ta en titt på vår guide om hur du copy and paste custom code snippets i WordPress.
WPCode är det enklaste och säkraste sättet att add to kod till din WordPress site. Det hjälper dig att hantera dina code snippets och förhindrar att error förstör din site.
I den här metoden kommer vi att använda ett av WPCodes inbyggda code snippets för att inaktivera XML-RPC.
Först måste du installera det gratis pluginet WPCode. För steg-för-steg-instruktioner, kontrollera vår steg-för-steg guide om hur du installerar ett WordPress plugin.
När du är aktiverad, heada till Code Snippets ” Add Snippet. WPCode-biblioteket innehåller redan ett snippet som inaktiverar XML-RPC. You can find it by searching for ’XML’.
När du har hittat det måste du klicka på knappen ”Använd snippet”.
Därefter måste du toggla ”Active” till positionen ”On”.
Slutligen, se till att du klickar på knappen ”Update” för att aktivera snippet på din site och inaktivera XML-RPC API.
Metod 3: Inaktivera WordPress XML-RPC med ett plugin
Det här är en enkel metod som kan användas om du inte vill add to några andra customizers till din website med ett code snippet plugin
Installera och aktivera helt enkelt pluginet Inaktivera XML-RPC-API. För mer detaljer, se vår Step-by-Step guide om hur du installerar ett WordPress plugin.
Tillägget fungerar direkt ur boxen och kommer omedelbart att deactivate XML-RPC.
Du kan navigera till XML-RPC Security ” XML-RPC Settings för att konfigurera tillägget. Till exempel kan du allow vissa användare att komma åt XML-RPC genom att whitelista deras IP-adresser.
Testar att WordPress XML-RPC är inaktiverat
Nu bör du kontrollera att du utan problem har inaktiverat XML-RPC API på din WordPress website.
Du kan också kontrollera att XML-RPC är inaktiverat genom att helt enkelt besöka URL http://example.com/xmlrpc.php i din webbläsare
. Se till att du ersätter ”example.com” med din egen websites domain name.
Om XML-RPC är inaktiverat bör du se ett error message: ”Forbidden: You don’t have permission to access this resource.” (Förbjudet: You har inte behörighet att komma åt den här resursen).
Vi hoppas att den här artikeln hjälpte dig att lära dig hur du enkelt inaktiverar XML-RPC i WordPress. Du kanske också vill lära dig hur du installerar Google Analytics i WordPress, eller kontrollera vår lista över programvara för chattsupport för småföretag.
If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.
Syed Balkhi says
Hey WPBeginner readers,
Did you know you can win exciting prizes by commenting on WPBeginner?
Every month, our top blog commenters will win HUGE rewards, including premium WordPress plugin licenses and cash prizes.
You can get more details about the contest from here.
Start sharing your thoughts below to stand a chance to win!
Jiří Vaněk says
Thank you for the snippet. In the end, I disabled XML-RPC using WPCode because it seemed like the easiest way, and I can also easily revert XML-RPC back. Great!
Pete Mason says
in htaccess, the line:
allow from 123.123.123.123
Looks like it wants to be edited with my IP address. But this is not stated anywhere —?
Christine says
Is there a difference between disabling and blocking?
WPBeginner Support says
Blocking would attempt to limit access to the feature while disabling would turn it off completely. If you disable it you wouldn’t need to worry about someone accessing it through a different method.
Administratör
Rashmi K says
The recomnended plugin Disable XML-RPC has not been updated since last 2 years. It says the plugin has not been tested with the last 3 releases of wordpress.
WPBeginner Support says
For our stance on the not tested warning, you would want to take a look at our article below:
https://www.wpbeginner.com/opinion/should-you-install-plugins-not-tested-with-your-wordpress-version/
Administratör
Nikhil says
Hi,
Will disabling the xmlrpc.php access also disable the access to wordpress apis used for android/ios app development?
WPBeginner Support says
That would depend on the API being used by the apps themselves.
Administratör
Vyom says
Found the solution:
Adding following information in nginx config:
# nginx block xmlrpc.php requests
location /xmlrpc.php {
deny all;
}
Vyom says
I use nginx instead of Apache. Can I still use .htaccess on my site?
And do I need to store this file in public_html directory, or one level above it?
WPBeginner Support says
If you’re using nginx then you would not be able to use htaccess
Administratör
Vyom says
Thanks for the reply. So is there an alternative for nginx?
WPBeginner Support says
You would add the site-specific plugin or the plugin from earlier in the article.
Chinecherem Somto says
hi, is it on the .htaccess file on the website root that i will paste the code?
WPBeginner Support says
Yes, the .htaccess in your site’s root folder is where you would add the .htaccess code
Administratör
Mojtaba Rezaeian says
Thank you author.
WPBeginner Support says
You are welcome Mojtaba
Administratör
Bapi says
How to use multiple ip or a ip range like 123.123.123.1, 2, 3, …… 100,101
malcolm says
why would we allow 123.123.123.123 ?
If we aren’t using the service at all, why not let ”deny all” be absolute?
Edward says
If i’m reading the code correctly;
order deny,allow – puts deny before allow, since deny is ’all’ then allow isn’t processed
deny from all – does what it says
allow from 123.123.123.123 – is a place holder
I gather that if you have a fixed IP address you could change order to ”allow,deny” and replace 123.123.123.123 with your IP address. That would allow your IP then deny all others.
David Hoy says
Thanks WP-Beginner, I’m trying to be baddest WP boy in my neighbourhood and this is exactly why I keep coming back to you guys, each question I have you say; here is the easy way, and here is the RIGHT way
Me an my .htaccess are going to have a little chat about htpasswrd and this here XMLRPC thingy my clients will never need.
You all just made my corner of the net a little bit safer, as MailChimp would say: High Fives!
WPBeginner Support says
Hey David,
Thanks for the kind words. We are glad you find WPBeginner helpful
Administratör
Cezar says
Ok, i will use this code but i want IFTTT to have work on my website what i need to add?
# Block WordPress xmlrpc.php requests
order deny,allow
deny from all
allow from 123.123.123.123
PhilB says
Hi,
I have followed the instructions to block the xmlrpc.php file using .htaccess but im not sure if it is working.
Im using wordfence security and in the live traffic view i can see the requests for the xmlrpc.php file have stopped, but if i check my access logs
tail -f /apache2/logs/access_log
I can still see the requests coming in, but the code at the end has changed from 500 to 403. Im concerned im getting a false report from my WordFence plugin and that im still being flooded with spam. Can anyone advise?
Thanks,
PhilB
David Hoy says
Oh yeah! Thats working perfectly, your XMLRPC is FORBIDDEN!
HTTP Status Code 403: The server understood the request but refuses to authorize it.
Raymundo says
I got a weird problem…
I’m using my wordpress blogs with IFTTT and all worked fine, until I integrated it with MaxCDN; IFTTT immediately stopped working. I did some research and the problem might be related to XML-RPC that was de-activated.
When I check my dashbord in ”Settings” > ”Writing” , I don’t see anything like XML-RPC, Remote Publishing, etc. I’ve checked database in options, also xml-rpc not available / missing.
I need to activate XML-RPC to keep my IFTTT working.
How do I re-activate XML-RPC; all I need is a script that I can add in .htaccess or functions.php to activate XML-RPC.
And why am I missing the XML-RPC funtionality in my dashboard.
Thank You!
Muhammad Ammar Ashfaq says
I was searching for how to add this file xmlprc.php to my wordpress i am using 4.5.3 version and i came to this page. I need to add this php file because when i enable jetpack i got error of site_inaccessible. Please tell me hot to resolve this error my site is
WPBeginner Support says
Connect to your WordPress site using FTP client or File Manager in cPanel. In your website’s root directory look for xmlrpc.php file. If it is there, then try step 2. If it isn’t then download a fresh copy of WordPress. Unzip and extract it and upload xmlrpc.php file back to your site’s root directory.
Step 2: Check your WordPress theme’s functions file for the code that disables XML-RPC.
Step 3: Check your .htaccess and wp-config files.
Administratör
omonaija says
Please,what can i do to enable xmlrpc on my site?because i can’t login using wordpess mobile app on my smartphone..
WPBeginner Support says
If you are using a security plugin on your WordPress site, then check its settings.
Administratör
Mook says
Booyah! This WP filter fixed the script kiddie attack. I still firewalled the person, but I don’t have to watch the logs like a hawk to add more IPs to the firewall. THANK YOU.
WPBeginner Support says
That’s why we use Sucuri.
Administratör
Alex says
Is that because Sucuri acts like the Disable XMLRPC plugin?
If so I can remove my Disable XMLRPC plugin,
Thanks
Alex
WPBeginner Support says
Sucuri acts like a firewall between your site and users. It blocks any suspicious activity before it could reach your website.
Chad says
I’m totally onboard for disabling xmlrpc.php server wide in my /etc/httpd/conf/includes/pre_main_global.conf file. But I am left with this questions…is there a way to determine that a particular plugin ”NEEDS” xmlrpc.php in order to work? I have concerns with blocking access to it and then having an issue 2 months down the road and not know that the issue is with the fact that I blocked xmlrpc.php previously.
Are there any common signs to look for in a log file or such which would point to a xmlrpc.php block as the cause?
Soumitra says
Hi, I just installed the plugin , Disable XML-RPC
Lets see!
Phranq says
Hey am using WordPress app to post with my android smartphone. Now I can’t login and my login credentials are correct. The response I got was ” we can’t log you in couldn’t connect to the WordPress site”.Could you help me fix this WordPress app login error.
WPBeginner Support says
If you had disabled XML RPC then you may not be able to login using WordPress mobile app. Look in your theme’s functions.php file for this code
1-click Use in WordPress
If it is there, then you need to remove it. You can also try deactivating plugins and turning them on one by one until you find the plugin that is stopping you from login using WordPress mobile app.
Administratör
Josiah says
It’s worth noting, that ”allow from 123.123.123.123” is optional, and if used should be updated to include your IP, or the IP of the device that needs access to xmlrpc.php (it would be good to cite examples in this article).
Natalie says
I am using GoodbyeCaptcha plugin to turn off the XML-RPC and works with no problem while Jetpack is activated.
Hope it helps
ATI says
Sorry, I’ve tried this method many times. It didn’t work for me – in fact it brought the front end down (blocking visitors read access to the web page) after adding these codes to the .htaccess file.
Gretchen Louise says
Does disabling it this way prevent this issue? http://theaffluentblogger.com/operating-a-website/wordpress-xmlrpc-php-vulnerability-affects-shared-hosting-sites/ I have a friend whose site is continually crashing because of her xmlrpc file being attacked.
Editorial Staff says
Yes it will prevent the attack to an extent.
Administratör
Christopher Ross says
Keith, there’s a trend in WordPress to move non-theme related functions out of the functions.php file and into a ”site specific plugin”, basically a plugin that you only activate on one unique website and it stores the non-theme related functions for that site.
You can accomplish the same thing by placing the code in your functions.php file.
Keith Davis says
Thanks Chris
Looks like you guys have already covered it.
https://www.wpbeginner.com/beginners-guide/what-why-and-how-tos-of-creating-a-site-specific-wordpress-plugin/
BTW – what’s happened to your comments system?
Was Livefyre then something related to twitter and facebook and now ?
Keith Davis says
Hi Guys
Sorry to be a bit thick but could you expand on… ”All you have to do is paste the following code in a site-specific plugin:”
Which plugins are site specific?