Intech Cloud offers a high level of security on your web hosting account. We have therefore implemented a new security layer blocking default the XMLRPC.php file of your WordPress installation by default.
The reason is that it constitutes a great vulnerability in your WordPress website's security.
As a matter of fact, throughout our network we have discovered there is a popular way to attack your website by simply pinging the xmlrpc.php file of your WordPress website from multiple other WordPress websites.
While it doesn't affect our servers directly, due to resource isolation, it will generate a downtime on your website.
Since it requires very few amounts of resources to put down a WordPress website it became quite popular.
Also, since the attacks are based on others websites, it may also involve your website in some outgoing DDoS attacks. (You can check the Sucuti website whether your website was involved in such attacks).
WHAT IS THE XML RPC PROTOCOL?
The XML RPC protocol of WordPress behaves just as an API (Application Program Interface) allowing remote access to your websites to administer it.
Thanks to this feature you will be able to publish, edit, delete a blog post/article, upload media, list and edit your comments, change some administration options in settings, and list, edit, delete publish new categories.
HOW TO ENABLE THE XML RPC PROTOCOL FOR MY WEBSITE?
Given the gain of features and some popular plugins relying on this very protocol (Jetpack), you have of course the possibility to unblock it directly from your control panel.
You can find the steps below :
1) log in to your FTP account and list your public_html directory or your addon domain directory.
2) Find and download the .htaccess file of your website.
3) Append the code below :
<Files xmlrpc.php>
order allow,deny
allow from all
</Files>
This will forcefully allow the XML RPC protocol on your website.
4) In order to protect yourself from DDoS attacks, we would recommend you install the 2 following plugins :
- Wordfence Security: This plugin would protect you from Brute force attacks based on the xmlrpc.php by banning client files along with protecting your websites from many vulnerabilities.
- Disable XML-RPC Pingback : It will block the pingback feature of your website preventing it from participating to attacks.
**Please note that if you have subdomains, addon domains using WordPress inside your public_html directory. This rule will be passed to them and it would expose you to DDoS attacks on all your WordPress installations so it would be recommended to install the plugins on all your websites.**