The best lightweight plugin for deactivating XML-RPC to improve WordPress security.

no cost

Save the Internet from WordPress speed abuse.

Updated: December 2017

5 minute read

We snoop on WPMU DEV often. Some may call this snooping industrial espionage. Maybe? It makes us feel 007ish. WPMU DEV is owned by Incsub, LLC. Who? Never heard of them. They’re one of our rival competitors. We’re small. They’re big. You’ll recognize their product names. More on those in a moment. They produce: “Your WordPress Toolkit.”

Incsub, LLC left off the word expensive. “Your Expensive WordPress Toolkit.” We duplicate their cool stuff with free plugins from the WordPress directory. Sadly, it makes them look greedy. It makes us smile.

Incsub, LLC are good at marketing and selling WordPress people premium plugins and themes. For the uninitiated, premium means paid. There are free alternatives they neglect telling you about. They don’t want us telling you about these plugin secrets either. That’s right. Free plugins exist duplicating their “premium” wizardry.

Incsub, LLC (aka WPMU DEV) have the art of producing customer fear down to a science. For example, you can take their WP-Checkup for free, once in a 24-hour period. (Sorry. Clearing browser cookies won’t get you a second shot. We tried). The checkup will frighten you. It frightened us anyway. OK. Not much.

Their claim:

Get a WordPress Checkup
Quick, Free & Easy
Get a professional performance, security and SEO scan

The goals is scaring the bejeezus out of you by convincing you your site is riddled full of holes and faults. The alarms encourage you to purchase their expensive membership as a solid solution. In this case, they include:

Hummingbird
performance
Make your site fly, save bandwidth and watch Google love you in return. (Put your wallet away and look at cost-saving FLY.ME Speed Knockoff first.)


Defender
security
Stay safe! Defender will harden, protect and scan your site daily.
(Once again, you can save dollars with POLICE.ME alternatives to save speed and money).


Smartcrawl
SEO
Boost your rankings with in-depth tech and some awesome tweaks. (Check out SEARCH.ME Speed Knockoffs before you buy Smart Crawl).

Their test produces a technospeak assessment about speed, security, and SEO. All regurgitated scary Google edicts from Google PageSpeed Insights. Most will not make any difference. But thinking you’ve violated Google’s code of conduct causes great fear in some less-web-savvy site owners. They have visions of blacklists or serious snubbing by search engines. Calm yourself. The Emperor has no clothes.

There are 10 performance parameters they test and report with a score of 100 being best and zero the worst. More in depth about the speed list here.

There are 25 SEO parameters tested and reported. Please don’t believe any of this SEO drivel and myths. What produces good SEO is relevant content and interesting titles. That’s it. All other details listed don’t move the needle for SEO. Complete waste of time and money. Write for humans – not machines.

Security assessment has 12 parameters. PagePipe had some errors reported we knew were false. For example: it said our user name was “admin.” It’s not. We’re using our POLICE.ME free security plugins. Good reports on everything.

But the test did draw our attention to a minor bugaboo we overlooked. It said a file named XML-RPC.php interface was available. So what? It’s part of WordPress core. We were curious about this and wanted to learn more. Was it bad? Was Defender plugin the only way to block this “security hole”? And how serious was the risk?

We discovered there was a legitimate concern to disable this file. Hackers can use it to gain access to your site. Could we do the repair for free? The answer is: yes.

We appreciate free, non-coding plugin solutions. But they shouldn’t add any page weight or load time to our website. We found a good plugin to add to our mix for security. It’s “Deactivate XML-RPC Service.” Why add it?

XML-RPC is used for remote posting/publishing and pingbacks. XML-RPC on WordPress is an API. If you disable the XML-RPC service, you lose the ability for applications to use this API to talk to WordPress. It’s used by phone Apps  interfacing with WordPress sites. It also presents an opportunity for malicious site attacks by hackers.

The code authors attest the programming of XML-RPC is as secure as the rest of the core files of WordPress. But some feel safer by disabling this file. If you don’t need it and it won’t slow down the site, why not disable it?

Have WordPress sites been compromised because of XML-RPC? Yes.

Disabling WordPress XML-RPC is a precautionary measure against brute force attacks. There are at least 14 Disable XML-RPC plugins in the WordPress plugin directory. That tells you something about community anxiety level. That’s a fair number of plugins. Many are pretty old (3 years) and some appear heavy. Not all work. We rejected three before we found one that really did the job.

Deactivate XML-RPC Service is the newest, freshest, and lightest (358 bytes is all and no HTTP requests or APIs). You install it and it’s a done deal. No settings.

Deactivate XML-RPC Service

Because Jetpack or remote mobile access need XML-RPC.php, then the only game in town is:

Stop XML-RPC Attack

Stop XML-RPC Attack is the heaviest package (usually meaning potentially slow). But it adds no weight or requests. And it works, too. We tested it – but aren’t using it. We don’t use Jetpack.

There’s a free online test of WordPress XML-RPC:

XML-RPC Validator

You don’t want to pass the test. You want the test to say: “Failed to check your site because of the following error: 405 error XML-RPC services are disabled on this site.”

We’re adding Deactivate XML-RPC Service as a recommendation in the POLICE.ME Speeder Knockoffs.

One more security plugin trick to consider is WPS Hide Login plugin. It’s a very lightweight plugin. It really only has one, active, 15k file. Ironically, almost all of the talk on their forum is about XML-RPC vulnerabilities. Which we’ve previously addressed above.

WPS Hide Login has 100,000 installs and 409,840 all time downloads. That is a 24 percent retention rate. That’s  high. A lot of people like “Hide Login” and are keeping it. A better indicator of value than popularity.

If you use WPS Hide login you need to watch out if you do a migration. Probably best to disable the plugin before that occurs.

You could get locked out really easily if you forget your assigned URL. Proceed with caution.

Godspeed—

Steve Teare
performance engineer

Mobile WordPress Speed – without coding!

What others think of us:


"Thank you so much for the thorough speed review and fast response. We truly appreciate your honesty and taking the time to direct us in the right direction." targetup.com Anaheim, CA, USA

by - Charles Equiarta