How do I know if my site is using the xmlrpc.php file?

This looks like a spam bot or an enumeration rather than a DDoS attack. To be sure, you should look into your resource consumption, the dynamic of IP addresses and maybe the payloads.

1. Blocking access to xmlrpc.php file.:

I think you shouldn’t:

  1. It cannot help you survive a real DDoS attack.
  2. As @cybmeta said, it might break many third party services.
  3. Allow access from certain IPs also doesn’t help because IP can be faked and you cannot list all IPs which will use XML-RPC service.

I often log all IPs which make requests to xmlrpc.php, use iptables to setup rate limit. Then, block IPs which are surely evil.

2. How to know if your site is using xmlrpc.php

  1. Functions and resources in WordPress which use XML-RPC service have xmlrpc string in functions’ name or files’ name so you can skim through your theme and plugins to check if there’re any matches.
  2. All XML-RPC requests in WordPress go through xmlrpc.php which define('XMLRPC_REQUEST', true) so you can use:
if ( defined('XMLRPC_REQUEST') && XMLRPC_REQUEST ) {
    // Log something.
    // Or exit immediately if something is evil in the request.
}

Note that you cannot use the code in theme/plugin files. xmlrpc.php is independent from themes and plugins so you must put it in your wp-config.php file.

Related Posts:

  1. WordPress as XML-RPC client?
  2. How to enable wpautop for XMLRPC content
  3. Extending xml rpc – best practice
  4. XML-RPC: Add category to post data
  5. How Enable XML-RPC in WP 4.8.2
  6. XMLRPC and Underscored custom fields
  7. Creating post content from external web scraper via JSON or RPC
  8. wp.getUsers XML-RPC method is returning only 50 users, how can i get all the users
  9. xmlrpc.php Returning 405 Response Code
  10. Restrict access to xmlrpc.php
  11. Simply deleting XMLRPC file
  12. Storing an XML Response (Transient)?
  13. Problem with Create Post using metaWeblog.newPost or wp_insert_post
  14. Is it possible to change a blog’s theme through XML-RPC command? (and if so how?)
  15. How pull wordpress blog data using Blogger API using python
  16. Create a new post in wordpress with XML-RPC with the correct GUID?
  17. Working code example of PHP XML-RPC connex to site?
  18. Automated posting to wordpress from commandline or XMLRPC API on Dreamhost
  19. Posting via HTTP requests?
  20. Why is minimum_args protected?
  21. Multiple new posts using XML-RPC?
  22. Is it possible write, publish and edit posts with WordPress from console aka terminal?
  23. How to enable xmlrpc in WordPress 5?
  24. modify post meta data remotely without xmlrpc
  25. XMLRPC newPost post_content issue
  26. Can XMLRPC set show_on_front/page_on_front?
  27. Send an extra parameter with xml-rpc login?
  28. Is there any image size limit for wordpress xml-rpc?
  29. XML-RPC and $wpdb
  30. XMLRPC won’t connect?
  31. wp.setOptions of the XML-RPC API does not appear to work
  32. How to list updates using WordPress XML-RPC methods
  33. Is XML-RPC still a security risk?
  34. Get Post meta via XML-RPC using wp.getPost
  35. How to process shortcodes in XML-RPC
  36. “XML-RPC server accepts POST requests only” error message
  37. New post created with XML-RPC works fine but fails to assign category
  38. Tagging posts to custom taxonomies using XMLRPC in R
  39. Getting all posts from an XMLRPC request [duplicate]
  40. not well-formed (invalid token) at line 15, column 51, byte 720 when trying to parse XMLRPC call
  41. XML-RPC aplication blocked by the hosting
  42. Weblog clients cannot retrieve posts: An invalid hexadecimal character (0x7) was found in the element content of the document
  43. Using XML RPC to import data into WordPress
  44. Page content sent from XML RPC is corrupted
  45. metaWeblog.getRecentPosts is returning nothing in my iphone app
  46. tag is ignored when using xml-rpc
  47. How to read newpost return post ID value as integer for xmlrpc
  48. Enabling XML-RPC Accross 500 blogs
  49. Retrieve username and password from XMLRPC request
  50. Fatal Error: Allowed Memory Size of 134217728 Bytes Exhausted (CodeIgniter + XML-RPC)
  51. Best way to eliminate xmlrpc.php?
  52. SSO / authentication integration with external ‘directory service’
  53. Does blocking xmlrpc.php affect pinging update services like pingomatic
  54. custom XMLRPC method plus authentication of user & WooCommerce order
  55. X-Pingback and XMLRPC
  56. wp.getUsersBlogs XMLRPC Brute Force Attack/Vulnerability
  57. Most efficient way to insert a post outside WordPress?
  58. XMLRPC Avoid duplicate content
  59. Possible to filter the posts or categories that XML-RPC users see in their mobile application?
  60. Removing unnecessary wordpress files
  61. How to disable XML-RPC from Linux command-line in a total way?
  62. PHP library that can merge stylesheet with inline style [closed]
  63. Is there a way to know if a post has been published through XML-RPC?
  64. Overwrite default XMLRPC function from plugin
  65. XML-RPC and Custom Post Types
  66. Help Me Choose RSS or XML-RPC
  67. Turn off Admin Bar (Toolbar) in backend – no easy way
  68. Checking post format during xmlrpc_publish_post
  69. How to stop xmlrpc attacks without disabling component to allow JetPack to work in WordPress?
  70. XML-RPC errors they know my username?
  71. Execute upgrade-theme with coding
  72. XML-RPC: How to add media caption to uploaded image?
  73. How to block XML-RPC attack?
  74. Manipulating/view postmeta remotely
  75. XMLRPC slow and weird websites/services
  76. How to find a post using XML-RPC without knowing ID
  77. Multisite -> XMLRPC
  78. Remotely search WordPress sites using xml-rpc
  79. Call specific plugin update
  80. Can I Remove xmlrpc.php completely?
  81. wp.getComments is returning nill, when i called from my iphone app [closed]
  82. Queries take 120+ seconds on my large WordPress site
  83. Checking for origin of a xmlrpc request
  84. Do I need to instantiate the XMLRPC class or any class in another class to access its methods?
  85. Using Microsift Word/Outlook for content publishing to WordPress
  86. Post via wp-admin and via iOS app, same hooks and triggers involved?
  87. Can I disable xml-rpc by setting it to false?
  88. Azure WordPress deny access to xmlrpc
  89. Regular XML-RPC timeouts
  90. XMLRPC pingback.extensions.getPingbacks not work with parameters
  91. API WordPress is Limited? Return False
  92. Why none of xmlrpc filters work
  93. Insert custom post type via XML-RPC?
  94. Manage multiple wordpress installs (Best Practice)
  95. Anomaly with response coming from XML RPC Api get Post (integer out of range)
  96. Custom xmlrpc request does not pass parameters?
  97. Modifying WordPress XML-RPC Built-Ins
  98. Create a “feed” from one WordPress site to another?
  99. Getting the Posts’ permalinks from XLMRPC
  100. XMLRPC: How to retrieve possible custom fields for a new post?

Leave a Comment