Blank lines or extra content in XML-RPC
Blank lines or extra content in your site’s XML-RPC file can cause a problem when trying to connect to Jetpack.
Sometimes, when trying to connect Jetpack to your WordPress.com account, you’ll receive the following error:
Error Details: The Jetpack server could not communicate with your site’s XML-RPC URL. Please check to make sure example.com/xmlrpc.php is working properly. It should show ‘XML‑RPC server accepts POST requests only.’ on a line by itself when viewed in a browser and should not have any blank lines or extra output anywhere.
This usually happens whenever there is a problem with the wp-config.php file, a plugin, or the theme on your site.
Jetpack uses your site’s XML-RPC file to communicate with WordPress.com. You can access that file by adding xmlrpc.php to the end of your site URL. When you do so, here is what you should see on your browser, on a line by itself, with no extra content:
XML‑RPC server accepts POST requests only.
If you see whitespace above that message, or extra text, that’s most likely because some plugin, theme, or your site’s wp-config.php file has extra “whitespace” (new lines, spaces, tabs, …) before the first in the file.
This problem is another symptom of a more common problem: the “Headers already sent” problem.
To solve this issue, you can try to deactivate all plugins on your site, and see if that gets rid of the extra whitespace. Then, activate your plugins one at a time to determine which one is responsible.
If that doesn’t help, you can rule out a theme conflict by temporarily changing your site’s theme to a default theme (such as Twenty Seventeen) and trying again.
If you continue to experience issues, you’ll need to open your site’s wp-config.php file in a file editor, and make sure no whitespace was added before the first in the file.
Once you fix this issue, you’ll be able to use Jetpack or other plugins and apps using the XML-RPC file to communicate with your site.
If that doesn’t help, you can follow the troubleshooting steps listed on this page to find out more about the issue on your site.
How To Safely Disable XMLRPC In WordPress (While Keeping Jetpack)
By Bhagwad Park on January 23, 2019 0
One day I got a bunch of notifications from my WordPress security plugin that some IP addresses were blocked because of multiple incorrect login attempts. By itself, this is nothing to wonder at – after all, WordPress is the platform most targeted by hackers simply because it’s so popular. What was surprising, was that it shouldn’t have been possible on my site.
I use a special technique to hide my login page from anyone how doesn’t know an exact sequence of characters. It’s not just “site.com/wp-login.php”. So how come hackers were able to even attempt to log in? It didn’t make sense. So I pulled up the raw access logs from cPanel, and searched for the blocked addresses to see what they had accessed.
And of course, I should have seen it coming – it was xmlrpc.php.
What is xmlrpc.php?
Complex details aside, XML-RPC is a special protocol that allows 3rd parties to interact with your site. With it, you can make connections to other sites, and integrate their features with yours. The popular Jetpack plugin is probably the most conspicuous user of XML-RPC, but other sites can be as well.
While a great idea in theory, the fact is that xmlrpc.php is a favorite target for attackers. Since it provides a programmatic way to login, attackers can literally attempt to log in hundreds of times in a very short period. This is unlike a regular web page, where you first need to wait for the page to load etc.
If you don’t take any measures, XML-RPC attacks will slow down your site, might get you penalized by your web host, and possibly compromise your security.
Method 1: Enable the Jetpack Protection Module
This is probably the most “lite” step to take. You probably already have Jetpack installed on WordPress. If you don’t, you should! It’s got a bunch of useful features, and can also double up as a CDN. Once you’ve installed it, click the Settings on the left-hand side of the admin dashboard and go to the “Security” tab. Here, scroll down till you see the section “Brute force attack prevention”, and turn the switch on as shown here:
Jetpack will take some measures to ensure that brute force attacks via XML-RPC will be stopped before they become a problem. This doesn’t disable XML-RPC, but tries to prevent its abuse.
But it might not be enough.
Method 2: Block XML-RPC Entirely
The second idea is to simply block XML-RPC. Other than Jetpack, you probably don’t use it anyway. And if you don’t have Jetpack, best to disable it altogether.
To do this, open your .htaccess file. It’s not easy to do this from WordPress, but if you have the Yoast SEO plugin installed, there’s an easy way. Just go to “SEO” in the dashboard, click “Tools”, and choose the “File editor” as shown here:
This will allow you to edit your .htaccess file. Paste the following code into it and save your changes.
This will simply deny access to xmlrpc.php to everyone. Problem solved! But what if you want to use Jetpack? Since it’s such a popular plugin, we need a way to allow Jetpack’s servers to access XML-RPC.
Method 3: Whitelisting Jetpack
Instead of the code above, we can whitelist Jetpack’s IP address range using the following code:
Now whenever someone tries to directly access xmlrpc.php, they’ll see this:
And that’s it! You’ve successfully secured your site from XML-RPC attacks!
What Is Xmlrpc.php in WordPress and Why You Should Disable It
WordPress has always had inbuilt features that let you remotely interact with your site. Face it, sometimes you’ll need to access your website and your computer won’t be anywhere nearby. For a long time, the solution was a file named xmlrpc.php. But in recent years, the file has become more of a pest than a solution.
Below we dive into what xmlrpc.php actually is and why it was created. We also overview the common security issues it causes and how to patch them on your own WordPress site.
What Is Xmlrpc.php?
XML-RPC is a feature of WordPress that enables data to be transmitted, with HTTP acting as the transport mechanism and XML as the encoding mechanism. Since WordPress isn’t a self-enclosed system and occasionally needs to communicate with other systems, this was sought to handle that job.
For example, let’s say you wanted to post to your site from your mobile device since your computer was nowhere nearby. You could use the remote access feature enabled by xmlrpc.php to do just that.
The core features that xmlrpc.php enabled were allowing you to connect to your site via smartphone, implementing trackbacks and pingbacks from other sites, and some functions associated with the Jetpack plugin.
Why Was Xmlrpc.php Created and How Was it Used?
The implementation of XML-RPC goes back to the early days of WordPress before it even became WordPress.
Back in the early days of the internet, when the connections were incredibly slow, the process of writing and publishing to the web was much more difficult and time-consuming. Instead of writing within the browser itself, most people would write offline, then copied and pasted their content onto the web. Still, this process was far from ideal.
The solution (at the time), was to create an offline blogging client, where you could compose your content, then connect to your blog to publish it. This connection was done through XML-RPC. With the basic framework of XML-RPC in place, early apps used this same connection to allow people to log in to their WordPress sites from other devices.
In 2008, with version 2.6 of WordPress, there was an option to enable or disable XML-RPC. However, with the release of the WordPress iPhone app, XML-RPC support was enabled by default, and there was no option to turn off the setting. This has remained true to the present day.
However, the functionality of this file has greatly decreased over time, and the overall size of the file has decreased from 83kb to 3kb, so it doesn’t play as large of a role as it used to.
The Future of XML-RPC
With the new WordPress API, we can expect XML-RPC to be eliminated entirely. Today, this new API is still in the trial phase and can only be enabled through the use of a plugin.
However, you can expect the API to be coded directly into the WordPress core in the future, which will mostly eliminate the need for the xmlrpc.php file altogether.
The new API isn’t perfect, but it provides a more robust and secure solution to the problem that xmlrpc.php addressed.
Why You Should Disable Xmlrpc.php
The biggest issues with XML-RPC are the security concerns that arise. The issues aren’t with XML-RPC directly, but instead how the file can be used to enable a brute force attack on your site.
Sure, you can protect yourself with incredibly strong passwords, and WordPress security plugins. But, the best mode of protection is to simply disable it.
There are two main weaknesses to XML-RPC which have been exploited in the past.
The first is using brute force attacks to gain entry to your site. An attacker will try to access your site using xmlrpc.php by using various username and password combinations. They can effectively use a single command to test hundreds of different passwords. This allows them to bypass security tools that typically detect and block brute force attacks.
The second was taking sites offline through a DDoS attack. Hackers would use the pingback feature in WordPress to send pingbacks to thousands of sites instantaneously. This feature in xmlrpc.php gives hackers a nearly endless supply of IP addresses to distribute a DDoS attack over.
To check if XML-RPC is running on your site, then you can run it through a tool called XML-RPC Validator. Run your site through the tool, and if you get an error message, then it means you don’t have XML-RPC enabled.
If you get a success message, then you can stop xmlrpc.php with one of the two approaches below.
Method 1: Disabling Xmlrpc.php With Plugins
Disabling XML-RPC on your WordPress site couldn’t be easier.
Simply navigate to the Plugins › Add New section from within your WordPress dashboard. Search for Disable XML-RPC and install the plugin that looks like the image below:
Activate the plugin and you’re all set. This plugin will automatically insert the necessary code to turn off XML-RPC.
However, keep in mind that some existing plugins may utilize parts of XML-RPC, so disabling it completely could cause a plugin conflict or certain elements of your site to no longer function.
If you’d want to only turn certain elements of XML-RPC off, but still allow certain plugins and features to work, then use the following plugins instead:
- Stop XML-RPC Attack. This plugin will stop all XML-RPC attacks, but it’ll continue to allow plugins like Jetpack, and other automatic tools and plugins to retain access to the xmlrpc.php file.
- Control XML-RPC Publishing. This allows you to retain control and use over the remote publishing option afforded by xmlrpc.php.
Method 2: Disabling Xmlrpc.php Manually
If you don’t want to utilize a plugin and prefer to do it manually, then follow this approach. It will stop all incoming xmlrpc.php requests before it gets passed onto WordPress.
Open up your .htaccess file. You may have to turn on the ‘show hidden files’ within file manager or your FTP client to locate this file.
Inside your .htaccess file, paste the following code:
Overall, XML-RPC was a solid solution to some of the problems that occurred due to remote publishing to your WordPress site. However, with this feature came some security holes that ended up being pretty damaging for some WordPress site owners.
To ensure your site remains secure it’s a good idea to disable xmlrpc.php entirely. Unless you require some of the functions needed for remote publishing and the Jetpack plugin. Then, you should use the workaround plugins that allow for these features, while still patching the security holes.
In time, we can expect the features of XML-RPC to become integrated into the new WordPress API, which will keep remote access and the like, without sacrificing security. But, in the meantime, it’s a good idea to protect yourself from the potential XML-RPC security holes.
Have you blocked XML-RPC access via a plugin or manually? Or experienced any security issues from having it active in the first place? Please share your experience in the comments below.