What is XML-RPC?

XML-RPC is a remote procedure call which uses XML to encode it’s calls, and HTTP as it’s transport mechanism.  It is a system that allows ping-backs / cross-references between blogs.  It also allows you to create new blog posts remotely, among other.

In a recent attack,  more than 160 000 legitimate WordPress sites were hijacked by hackers via WordPress’ XML-RPC function, and used to launch a large scale Distributed Denial of Service (DDoS) attack.  This was done  without having to compromise these websites, but instead taking advantage of an existing vulnerability.   The hackers exploited the XML-RPC in WordPress , used to provide services like Pingbacks (or Trackbacks).  This allows the attackers to initiate a request from the WordPress blog to any arbitrary site.  The XML-RPC function should be used to generate cross-references and links between blogs but instead it was used in a amplification attack with millions of requests from multiple locations directed against the target.

Any WordPress site with XML-RPC enabled (which is on by default) can be used in DDoS attacks against other sites,” ~ blog

You can check if your site has already been used as part of a DDoS attack by using the Securi DDoS scanner tool.  In order to prevent your site and it’s resources from being abused, you will have to disable XML-RPC Pingback function on your website.  You will not be able to completely disable the xml-rpc.php file as it is needed for important features of the site – unless you delete it from your server.

To block the Pingback function, add the following code to your theme:

add_filter( ‘xmlrpc_methods’, function( $methods ) {
unset( $methods[''] );
return $methods;
} );

The Pixel Forge
Contact us for hack removal and web security in the event of your site being compromised.