[Defender Pro] Defender says XML-RPC is disabled but WP Checkup says it's enabled

I've used Defender Pro to disable XML-RPC and it's listed under the Security Tweaks as being "Resolved", however, when I run your WP Checkup tool it lists XML-RPC as being enabled. I actually had this problem with another website of mine running Defender Pro where the site actually was attacked using XML-RPC even though I thought it was disabled. I contacted my host provider (Cloudways) and they confirmed that it wasn't disabled and was being exploited. I had to add a custom code to my functions.php file in that case to actually disable it.

Could you guys please look into this and help to identify why this is happening?

  • Nebu John
    • Staff

    Hi AtmoVantage,

    I hope you're well today and thank you for reaching out to us!

    There are usually two ways to disable the XML-RPC:

    1: Block entire xmlrpc.php file with .htaccess, so anyone can't access it.
    2: Block the XML-RPC methods which requiring authentication by WordPress way using these methods:

    add_filter( 'xmlrpc_enabled', '__return_false' );
    add_filter( 'xmlrpc_methods', 'block_xmlrpc_attacks' );

    You could find more details here:
    https://developer.wordpress.org/reference/hooks/xmlrpc_enabled/
    https://developer.wordpress.org/reference/hooks/xmlrpc_methods/

    Defender Pro uses the second method, we have blocked all the XML-RPC methods like:

    wp.getUsersBlogs
    wp.newPost
    wp.editPost
    wp.deletePost

    ...

    We only accept two methods for pingback:

    pingback.ping
    pingback.extensions.getPingbacks

    Here are the more details about Pingback: https://www.wpbeginner.com/glossary/pingback/

    So this is secure enough, but if you think to disable the whole XML-RPC, you can add the following code in the very bottom of the .htaccess file:

    # Block WordPress xmlrpc.php requests
    <Files xmlrpc.php>
    deny from all
    </Files>

    Let me know if you have any question regarding this issue!

    Kind Regards,
    Nebu John

  • AtmoVantage
    • Stormageddon, Dark Lord of All

    Hi Nebu,

    That makes sense, however is there a way for WP Checkup to detect which of the two methods has been used so we have some consistency? It's a little misleading for Defender Pro to say it's disabled XML-RPC while your own tool WP Checkup says otherwise.

    Best Regards,

    Austin

  • Nebu John
    • Staff

    Hello AtmoVantage,

    Hope you are doing good today.

    I understand your concern. Also, have contacted developers regarding this and they will be looking into it further.

    Feel free to get back to us if you have any doubts or need any help further. :slight_smile:

    Kind Regards,
    Nebu John

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.