It’s been a busy Sunday morning. I spent the morning troubleshooting a server that was having massive CPU spikes. It was almost constantly around 90% or higher. RAM usage was spilling over to the swap file, consuming the entire swap file, and then crashing MySQL – bringing down the website.
What was the culprit? xmlrpc.php – a file used by WordPress to allow remote editing of pages/posts. It was being accessed (or attempted access) multiple times a second. XML-RPC on WordPress is actually an API or ‘application program interface’. It gives content creators the ability to talk to your WordPress site from another source or platform. Typical actions that you can perform without actually logging into your site include:
- Publish a post
- Edit a post
- Delete a post
- Upload a new file (e.g., an image for a post)
- Get a list of comments
- Edit comments
Disabling xmlrpc.php also disables these features, so it’s definitely important to weigh the benefits for yourself.
How do I disable XMLRPC?
The easiest thing is to simply block access to the xmlrpc.php file via your .htaccess file. Just copy and paste this in your .htaccess file and save:
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>However, if you need to allow one or more IP address to use XMLRPC you can instead use the following, where each IP address that needs access is separated by a comma
<Files xmlrpc.php>
order deny,allow
deny from all
allow from 192.168.0.1, 10.0.0.1
</Files>
