Security is important for every website. Nobody wants those unknown users that can access your WordPress admin panel or post posts without your permission. But how can we defend our WordPress site against this?

Getting started

From my experience, the most used attack I’ve seen on a WordPress site is the Brute Force attack. It’s a way to try different passwords combined with the username of the site owner to get access to the Admin panel. The ‘hacker’ will use many passwords in order to get inside. 

WordPress hasn’t got a built-in feature to protect yourself against this kind of attacks. But there are plugins which you can use to track and protect your site against this.

The most common thing you’ll hear is getting a very strong password is a must and it’s true! Don’t be afraid of changing your password now and then! But to go back to the plugins, I’ve found some plugins which you can use for free.

Also changing the official login page directory of your WordPress site prevents ‘hackers’ to find your login page. This can also be done with a plugin.

By changing the official WordPress login page called ‘wp-login.php’ to ‘login.php’ is not a good option! Choose something like timwlp.php (this is my WordPress login page) and keep in mind to remember this page.

What’s XML-RPC?

XML-RPC is the shortened form of ‘XML Remote Procedure Call‘ it’s a protocol that uses XML to encode the calls (data) through HTTP. 

Now in clear English, this means that a user with the knowledge of XML-RPC can send a request to your WordPress website and the built-in function from WordPress will read the XML (message) that has been sent. So the user can make a request for a blog post without your permission. 

But it’s not bad! If you’re using multiple WordPress sites, XML-RPC can help you. Instead of login in and posting your posts once at the time, you can send requests to your WordPress sites.

How to disable it?

If you think you won’t need it, there is no need to keep it on. If you follow these steps to disable it, you can still re-enable it when you want. What most people think is “Why not remove the xmlrpc.php file?” Well, it won’t help. If you update WordPress or if it goes automatically ex. Security updates, WordPress will most likely add the file again.

Now the real solution, there are easy 2 ways to do this. One of them is to install a plugin that disables the XML-RPC page.

Or you can disable it in the .htaccess file. (recommended) With the following code.

## block XML-RPC requests
<Files xmlrpc.php>
order deny,allow
deny from all
# END WordPress

If you add these lines of code into the .htaccess file of your WordPress directory. When you or someone else will visit the xmlrpc.php page, you both will see the 403 Forbidden error page.

Did these tips help you? Or do you have more tips to protect your WordPress website? Let us know in the comments!

You May Also Like