The importance of disabling XML-RPC for WordPress sites
Your WordPress VPS site keeps crashing? Your MySQL keeps getting killed? Have seen this above?
I had been troubled by a recurring services auto-shutdown problem on my Linux VPS. I was digging around all the logs and memory usage monitor and found nothing special except Ubuntu OOM killer that either kills MySQL or Tomcat.
At first, I was guessing that I had put too much loads on an 1 GB ram virtual box, cause I was running a WordPress blog, MySQL, and a big fat Tomcat war on it. I was tinkering around all the setting/config to limit the usage of memory of all Apache, Tomcat, and MySQL services. I tried to set Ubuntu a bigger swap space. Hey, it’s better to be slower than to be out of service. After all the tricks I pull off, the problem remained without any significant improvement.
When I almost gave up and accepted some kinds of “running auto restart script midnight every nights and hoping the problem doesn’t occur during the days” solution, an email pop up in my mailbox.
Thank you Russians.
In summary, my xmlrpc.php had been used to preform DDoS to other sites by hackers.
It’s very nasty that it leaves almost no traces on your server(Apache access log has records visiting the xmlrpc.php).
Once you can identify the problem, the solution is just around the corner.
There are 3 ways to do it:
- Setting Apache’s .htaccess to deny access to the xmlrpc.php file.
- Write some php codes in those WordPress main php files(wp-settings.php, best practice) to disable XML-RPC.
- Install disable XML-RPC plugins(does No.2 in the background).
I picked No.3 for readability. I hope it solves your problem. It solved mine, my server runs like a champ now.
I understand that letting admins/owners configure posts or merchandises on their phone and tablet is such an advance and importance step for WordPress overall strategy. Best case scenario, WordPress team get this loophole fixed. For now, I just have to disable it.