Disabling XMLRPC, SMTP on WordPress For Security

Abhishek Ghosh

By Abhishek Ghosh July 3, 2015 8:19 pm Updated on July 3, 2015

Disabling XMLRPC, SMTP on WordPress For Security

WordPress is NOT a secured Web Software by Default. On Cloud Computing Platforms Disabling XMLRPC, SMTP on WordPress For Security is Important. PHP itself has some problems, WordPress developers hugely love some features which make both WordPress complicated and vulnerable. Nowadays, a web host is publishing their “paid guides” on their website (directly, it is Digital Ocean) and Google is hugely loving. They have guides which can be dangerous for a relatively new user. We are talking about HP Cloud where we have control with router to control the ports apart from Firewall at operating system level. Your setup assumed to be on IBM, HP Cloud, Rackspace etc. standard IaaS providers or OpenShift or Heroku PaaS.

Disabling XMLRPC, SMTP on WordPress For Security : What the Hell They Do?

XMLRPC is for remote blogging, pingbacks, trackback etc. SMTP function is mainly needed for Mail, which can be avoided by using transactional email services. We wrote before how to use Mandrill to receive email from WordPress.

Unless you are quite used with networking, try avoiding both of them. We might need SMTP daemon for monitoring services. smtpd needs a non-Free software library to get configured on deb GNU/Linux. This is the thing Richard Stallman talks about Debian – Debian has these repo of non-Free softwares on their “servers”. Ubuntu Multiverse has these non-Free softwares. In very short, for many monitoring service we might need smtpd. Thats quite dangerous to keep open to the World.

Disabling XMLRPC, SMTP on WordPress For Security

On deb GNU/Linux, if smtpd is not configured; practically neither XMLRPC will work not the vulnerability will remain wide open. However, that is NOT exactly the right method for bullet proof security on WordPress. There are many security experts talked about this XMLRPC problem of WordPress. If you do a cURL on that XMLRPC on our website, you’ll see :

$ curl -I -s https://thecustomizewindows.com/xmlprc.php | grep HTTP
HTTP/1.1 301 Moved Permanently

1 2	$ curl -I -s https://thecustomizewindows.com/xmlprc.php \| grep HTTP HTTP/1.1 301 Moved Permanently

---

this is done both from WordPress PHP level as well as from Nginx web server. XMLRPC not only can do DDoS but can invite Man in the Middle Attack.

Basically that /xmlrpc.php calls another files. We are keeping that XMLRPC Advertisement towards the dangerous automated bots to get the IP, but you normally should disable it with this filter plus remove the function :

// 1. disables the function
add_filter( 'xmlrpc_enabled', '__return_false' );
// 2. removes specifically the functions
add_filter( 'xmlrpc_methods', 'tcw_block_xmlrpc_attacks' );
function tcw_block_xmlrpc_attacks( $methods ) {
   unset( $methods['pingback.ping'] );
   unset( $methods['pingback.extensions.getPingbacks'] );
   return $methods;
}
// 3. removes header "advertisement"
add_filter('wp_headers', function($headers) {
    unset($headers['X-Pingback']);
    return $headers;
});
// 4. alternate way to remove the header "advertisement"
add_filter( 'wp_headers', 'tcw_remove_x_pingback_header' );
function tcw_remove_x_pingback_header( $headers ) {
   unset( $headers['X-Pingback'] );
   return $headers;
}

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

// 1. disables the function

add_filter( 'xmlrpc_enabled', '__return_false' );

// 2. removes specifically the functions

add_filter( 'xmlrpc_methods', 'tcw_block_xmlrpc_attacks' );

function tcw_block_xmlrpc_attacks( $methods ) {

unset( $methods['pingback.ping'] );

unset( $methods['pingback.extensions.getPingbacks'] );

return $methods;

}

// 3. removes header "advertisement"

add_filter('wp_headers', function($headers) {

unset($headers['X-Pingback']);

return $headers;

});

// 4. alternate way to remove the header "advertisement"

add_filter( 'wp_headers', 'tcw_remove_x_pingback_header' );

function tcw_remove_x_pingback_header( $headers ) {

unset( $headers['X-Pingback'] );

return $headers;

}

You can see the are numbered as 1,2,3,4. You should use any of this combination :

1 or 2 or 3 or 4 alone
1 + 3
1 + 4
2 + 3
2 + 4

You can add these on theme or child theme’s functions.php file or use our easy plugin to add any snippet theme or child theme’s functions.php file. As the physical file is present, we should block it too (on Nginx) :

# server {
# rest of the codes
    location = /xmlrpc.php {
        deny all;
    }
# rest of the codes
# }
# server block ends

1

2

3

4

5

6

7

8

# server {

# rest of the codes

location = /xmlrpc.php {

deny all;

}

# rest of the codes

# }

# server block ends

There is no reason to think that a hacker will not know about WordPress.

Disabling XMLRPC, SMTP on WordPress For Security : Checking the Access Logs

If you only see only the error logs, you will see errors against the XMLRPC by :

Googlebot/2.1;  http://www.google.com/bot.html

1	Googlebot/2.1; http://www.google.com/bot.html

actually its fake. Here is screenshot of such fake tries which we revealed by another method we are describing :

Disabling XMLRPC, SMTP on WordPress For Security

if you access log of Nginx is /var/log/nginx/access.log, then if you run this command :

grep xmlrpc /var/log/nginx/access.log | cut -d' ' -f1 | sort | uniq -c | sort -rn | head

1	grep xmlrpc /var/log/nginx/access.log \| cut -d' ' -f1 \| sort \| uniq -c \| sort -rn \| head

there are 100% spammy blacklisted IPs. They needs to be blocked via firewall.

Tagged With wordpress security functions php

About Abhishek Ghosh

Popular Articles