Foggy Programmer

More Unwanted WordPress Logins

Posted on by Foggy Programmer

Two weeks ago I discussed a plugin for ‘hiding’ WordPress login/admin sites: rather than /wp-admin/, we have /abrakadabra/ (or anything…). At a prior time, I had installed another plugin called WordFence. This allowed setting up 2FA (i.e., two factor authentication with an Authenticator app) and provided a list of login attempts. The majority of targets were /wp-login.php (probably including redirections from /wp-admin.

Most attempts targeted /wp-login.php.

After ‘hiding’ the admin login sites, these targets disappeared, but a new target appeared: /xmlrpc.php. And only /xmlrpc.php.

Almost all login attempts are through xmlrpc.php.

What exactly is xmlrpc.php? Per this SO post from 2011, the ‘xmlrpc interface’ provides capabilities for 1) ‘pingbacks’ (i.e., notifications when someone ‘links’ to your post; I have this and comments disabled — if you want to reach out to me, my email is in the contact info); 2) ‘blogging from external sources’ like a phone (perhaps an app?) or a downloadable blogging app from which one can ‘publish’; and 3) certain plugins (e.g., Jetpack). The act of publishing itself would work over the xmlrpc api/gateway. (Some other more recent sources to look at for this include here, here, and here.)

I don’t use pingbacks nor do I ‘publish’ from my PC (I either copy-paste or edit directly online). Thus, I have no need from xmlrpc, so disabling makes sense. Information from the above linked sites suggests that it is better to add a plugin rather than disable within WordPress since an update might undo the change when that particular file is updated.

Fortunately, I don’t need to locate another plugin since WordFence has this precise feature. Opening WordFence, one of the pages is called ‘Login Security’. Here, select the Settings tab and, in the 2FA section, there is an option to Disable XML-RPC authentication. I add a checkbox to that option and choose ‘Save’ at the top.

Select the option under Login Security of ‘Disable XML-RPC authentication’.

WordFence already blocked these with a 503, but explicitly disabling is probably a good idea.

Also, if you, for whatever reason, do need/want XML-RPC, try a plugin like: Disable XML-RPC-API (comes up in a search for ‘xmlrpc rename’) — though this particular app seems to have added advertising per the reviews…just use the search to find another. 😉