How to secure WordPress XMLRPC?

4 comments

1. XMLRPC is as secure as the rest of WordPress. All of the requests need to be authenticated with username and password credentials that exist on your site already. That means, if someone has a login for your site, they can use the XMLRPC interface (if it’s turned on). But anonymous users can’t get in.

   The only potential security vulnerability you might face with XMLRPC is that of a man in the middle attack. But you face this same risk with the regular WordPress admin, so it’s not unique to XMLRPC.

   The best way to prevent this kind of an issue is to enable SSL security on your site. You’ll need an SSL certificate, and then you need to access you XMLRPC endpoint via https:// rather than http://. This will encrypt your requests and prevent anyone from intercepting them and stealing your credentials.

   You should also enable SSL security on login for your regular site because it, too, faces the same risks.

   Log in to Reply

2. I suggest the following code to append to the .htaccess file

   <FilesMatch "^(xmlrpc.php)">
   Order Deny,Allow
   # IP address Whitelist
   Allow from xxx.xxx.xxx.xxx
   Deny from all
   </FilesMatch>
   

   Log in to Reply

3. To limit access to xmlrpc.php to only the IP range that needs it (e.g. Jetpack) you can do something like this.

   <files xmlrpc.php="">
   Order Deny,Allow
   Deny from all
   Allow from 192.0.64.0/18
   Satisfy All
   ErrorDocument 403 http://127.0.0.1/
   </files>
   

   Securing xmlrpc.php seems generally under-discussed on the web but an attack can mean a DoS attack. Definitely worth discussing to make sure more people can prevent an attack, in my opinion.

   Log in to Reply

4. The plugin Secure XML-RPC seems to address the issue of sending sensitive info over the wire.

   Plugin description:

   Rather than sending usernames and passwords in plain text with every
   request, we’re going to use a set of public/secret keys to hash data
   and authenticate instead.

   Log in to Reply