XML-RPC, the REST API, and WordPress security

We spend a lot of time at the Orange County WordPress Meetup talking about how to make your site more secure. A few basic tips we discuss are: don’t use “admin” as your username, follow best practices when creating your passwords,  and if you’re an advanced developer, consider changing your database prefix from “wp_” to something else. However, the more advanced WordPress becomes, the more things there are for us to consider for security. There’s no better time than the start of the New Year to make a resolution to protect your site! Two advanced WordPress features to consider for security are XML-RPC and the new REST API.

Secure your XML-RPC and REST API today!

XML-RPC

One of the files in your WordPress install is something called xmlrpc.php. This piece of code is an API that allows for external software to perform basic functions on your site like publishing a post, uploading an image, and more. If you’ve ever used a utility like IFTTT.com to create posts on your site, you’ve made use of the XML-RPC API. Some features of Jetpack also use XML-RPC.

As useful as this feature is, it can also be a point of vulnerability. Hackers can target XML-RPC with DDoS attacks via pingbacks and even brute force login attempts, which can make your site inaccessible.

Thankfully, there are several ways to protect yourself. One option is to disable XML-RPC altogether; however, this isn’t the right choice for all sites, especially if you need to use these functions.

You can have your XML-RPC cake and eat it too by using security plugins like Wordfence or Sucuri to prevent these attacks.

REST API

WordPress’ REST API is one of our favorite features. We’ve extended it considerably in our work using WordPress as the content management system for our mobile apps, so data is easy for clients to manage and easy to share data between platforms. But, like XML-RPC, this feature is prone to abuse.

A few days ago, GHacks.net pointed out that by default, the REST API is accessible to anonymous users. This means that anyone who goes to {yourdomain.com}/wp-json/wp/v2/users can access a list of all your site’s registered users. Though this information by itself doesn’t make your site vulnerable, it could provide a hacker what they need to cross-reference with other data, or give them a place to focus a social engineering attack, to crack an administrator’s password.

In WordPress versions 4.4 to 4.6, it was possible to disable to REST API altogether by using a filter. However, this filter was removed in version 4.7. Instead, you can use a plugin like Disable REST API to block anonymous users from accessing your site’s information. This option keeps the API available to authenticated users.

Shutting it off isn’t always the answer

Both the REST API and XML-RPC are genuinely useful features. Even if you’re not using them now, it’s a good idea to keep your options open. There’s no such thing as 100% security for a website, but plugins like the ones mentioned above put you on the right path.