You shouldn’t delete that file – it will be restored after update – so deleting it makes no sense (and it shouldn’t be treated as security fix). You can disable XMLRPC using filter: add_filter(‘xmlrpc_enabled’, ‘__return_false’); And even block access to that file. Below code for Apache (sandrodz showed code for nginx): <Files xmlrpc.php> Order deny,allow … Read more
There are plugins for that: e.g. http://wordpress.org/plugins/disable-xml-rpc/ You can also write a filter yourself add_filter(‘xmlrpc_enabled’, ‘__return_false’); You can simply add this code your theme functions.php (located in wp-content/themes/your_theme). However, you are advised to create a child theme (http://codex.wordpress.org/Theme_Development) so that your modification does not disappear when you update the theme. Alternatively, you can create your … Read more
You can look at the requests data / response data via Developer Tools in your browser (usually F12, but depends on your browser). That might give you some indication of the direction to investigate. Personal Opinion Personally, I have disabled xmlrpc.prg on all of my sites. It is an easy way for a hacker to … Read more
I’m unable to find a XML-RPC method called wp.getUsers in wp-includes/class-wp-xmlrpc-server.php. Could it be, that you’re using an additional plugin that extends the basic behavior of WordPress? A simple google search for ‘wp.getUsers’ points me to the the github repo of Max Cutler and the class wp-xmlrpc-modernization. There you have a method wp.getUsers which accepts … Read more
You can either use the JSON API plugin, or wait for the JSON REST API project that is now running through the Google Summer of Code project. This is intended to eventually go into WordPress core, but will work as a standalone plugin for the time being.
Playing with XML-RPC and underscored custom fields: Let’s say we want to set the featured image to a given post with $remote_post_id. We want it to be the attachment with ID equal to 300, so we want _thumbnail_id to be 300. Here are three methods how one could achieve that: Method #1 – Using post_thumbnail … Read more
XML RPC is enabled by default in WordPress since version 3.5, including WP 4.8.2. Here is the more info about it: XML-RPC Support. If it is not working for you, it is possible that you have some plugin that disables it, and most security plugins have options to do so.
Assigning posts to taxonomy terms in XML-RPC: Let’s assume your setup is: xml-rpc wp.newPost (sender) site A ————-> site B (receiver) and you want to assign the new posts to a given taxonomy terms on site B. From site B: Then you can try the following, on the receiving site B: $post_data[‘tax_input’] = array( ‘category’ … Read more
This looks like a spam bot or an enumeration rather than a DDoS attack. To be sure, you should look into your resource consumption, the dynamic of IP addresses and maybe the payloads. 1. Blocking access to xmlrpc.php file.: I think you shouldn’t: It cannot help you survive a real DDoS attack. As @cybmeta said, … Read more
If I have lots of custom methods what is the best approach to handling this? Instead of filtering xmlrpc_methods, you could extend the wp_xmlrpc_server class and set your class as default with the filter wp_xmlrpc_server_class. // Webeo_XMLRPC.php include_once(ABSPATH . WPINC . ‘/class-IXR.php’); include_once(ABSPATH . WPINC . ‘/class-wp-xmlrpc-server.php’); class Webeo_XMLRPC extends wp_xmlrpc_server { public function __construct() … Read more