Its been a busy Sunday morning – Spent the morning troubleshooting a server that was having massive CPU spikes – it was almost constantly around 90% or higher; Ram usage was spilling over to the swap file, consuming the entire swap file, then crashing mysql – bringing down the website.
What was the culprit? xmlrpc.php – a file used by wordpress to allow remote editing of pages/posts – It was being acccess (or attempted access) multiple times a second.
XML-RPC on WordPress is actually an API or “application program interface“. It gives content creators the ability to talk to your WordPress site from another source or platform. Typical actions that you can perform without actually logging into your site include:
- Publish a post
- Edit a post
- Delete a post.
- Upload a new file (e.g. an image for a post)
- Get a list of comments
- Edit comments
Disabling xmlrpc.php also disables these features, so its definitely important to weigh the benefits for yourself.
How do I disable xmlrpc?
The easiest thing is to simply block access to the xmlrpc.php file via your .htaccess file. Just copy and paste this in your .htaccess file and save:
# Block WordPress xmlrpc.php requests
deny from all
If you need to allow a machine to access the file, you’ll need to get the computer’s IP (for the machine you want to enable access). then add:
allow (machines IP address)
As soon as access to the xmlrpc.php was disable – CPU usage dropped to a high of around 20% and ram usage dropped to around 500 MB.