Hi there,
Thanks for the feedback.
The XML-RPC interface has been an integral part of the WordPress software for the past 12 years. It’s an efficient way for you to be able to publish posts and interact with your site from a third-party service, like an app or an editor. That is for example the protocol used by the official WordPress mobile apps.
Naturally, since it’s another way to access and interact with your site, it’s also another place where spammers will try to get in to your site. Your site’s login screen and the XML-RPC endpoint are 2 of the most common attack entry points for WordPress today.
That doesn’t mean XML-RPC is a security flaw though, just like your login screen isn’t a security flaw. It does mean, however, that you should do what you can to protect that entry point to your site.
There are typically 3 ways to protect your site against XML-RPC attacks:
- Just like for your login screen, use a strong unique password. Spammers won’t be able to post to your site via XML-RPC if they cannot log in as you.
- Just like for your login screen, use a service to block spammers from trying to brute-force their way into your site by trying to post using different passwords. The Jetpack plugin offers such a service, for free. You can activate the “Brute force protection” feature under Jetpack > Settings > Security in your dashboard. That feature will protect both the login screen and XML-RPC, and block spammmers who keep trying to get in to your site.
- You can also block XML-RPC attacks before they even reach your site. Most hosting providers, especially those familiar with WordPress, have such security measures ; they’ll detect patterns of malicious requests to your site’s XML-RPC interface and block spammers before they can even try to log in. That doesn’t mean blocking all of XML-RPC though. Hosting providers can allow legitimate usage of XML-RPC and only block malicious usage.
With that in mind, I would recommend that you contact your hosting provider and ask them if they can block such XML-RPC attacks without blocking all XML-RPC requests. If they’re not sure how to do that, ask you for more information, or insist on blocking XML-RPC entirely, do not hesitate to send us their questions alongside more details about your site via this contact form. We’ll be happy to answer any questions they may have, and help them block XML-RPC attacks while still allowing usage of plugins like Jetpack, or of the official WordPress mobile apps, just like many other hosting providers already do today.
I hope this clarifies things a bit. Don’t hesitate to reach out again if you have any other questions!
