This presentation, originally given at the WordPress Orlando Meetup on April 8th, 2014, is a basic tutorial on how to stop the XML-RPC hack in WordPress using just a few lines of code.

1. Stopping the XML-RPC Hack
Simple Solutions for a Serious Problem

2. Adam Soucie
• Highforge
• Web Developer
• Content writer

3. • Allows WordPress to
post on your behalf
• Allows access to
WordPress clients
• Allows for ping backs
and trackbacks
What is XML-RPC?

4. • Hijacks your website
without your knowledge
• Uses your site for a DDoS
attack
• Potentially gets your
domain labelled as a
spammer
Why is it dangerous?

5. • Add a filter to
functions.php
• Prevent access to
XMLRPC.php
using .htaccess
• Use a plugin
How do you stop it?

6. • Completely disables
XMLRPC.php
• Uses a filter
• One line of code
• Alternative for
Jetpack users is 5
lines
Method 1: Functions.php

7. add_filter('xmlrpc_enabled', '__return_false');
Complete disable XML-RPC…

8. add_filter( 'xmlrpc_methods', 'remove_xmlrpc_pingback_ping' );!
function remove_xmlrpc_pingback_ping( $methods ) {!
unset( $methods['pingback.ping'] );!
return $methods;!
} ;
…or just block Pingbacks

9. • One command
• Blocks access at the
server level for extra
security
• Can also whitelist IPs to
allow limited access
Method 2: .htaccess

10. <Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>
To block all access…

11. <Files xmlrpc.php>
Order Deny,Allow
Deny from all
Allow from 987.654.321
</Files>
…or to Whitelist IPs

12. • Mimics the
Functions.php method
• Perfect for non-coders
• Disable XML-RPC is the
most common one
Method 3: Use a plugin

13. Any questions?

14. More info:
www.adamsoucie.com
www.highforge.com
Illustrations by:
Tina Fiume