Dec 302015
 

All In One WP Security Plugin Pingback Protection Settings post shows you how to enable and check if xmlrpc.php file is working correctly in your website.

Last Updated: November 28, 2019

Latest News: Updated the documentation.

Too many keep reporting issues with their website receiving too many lock outs from various IP addresses In some cases it might be one IP address that keeps finding a way to your websites admin login. The first step you should take is to enable one of the features found in the following link Brute Force features, like rename the login page. This will stop users from trying to access your admin login page.

If you still receive many logging attempts to your admin account, this could be because they are most probably targeting your xmlrpc.php file. This file can be found in the WordPress root directory of your site. Enabling one of the following features can help you reduce or stop further login attempts.

All In One WP Security Plugin Pingback Protection Settings

Step 1 ) Go to WP Security -> Firewall -> Basic Firewall Rules and enable one of the following security options as illustrated in the image below.

Basic Firewall Rules Features

  • Completely Block Access To XMLRPC:
  • Disable Pinback Functionality From XMLRPC:

Note: Make sure you click on More Info link as illustrated in the image below before you enable any of these options.

all-in-one-wp-security-firewall-pingback-protection-settings

When you enable the following Complete Block Access To XMLRPC: you will see the following message appear in your admin panel. When you enable this feature you are blocking access to the following file xmlrpc.php. This file can be found in the WordPress root directory of you website installation.

(Attention: You have enabled the “Completely Block Access To XMLRPC” checkbox which means all XMLRPC functionality will be blocked.
By leaving this feature enabled you will prevent Jetpack or WordPress iOS or other apps which need XMLRPC from working correctly on your site.
If you still need XMLRPC then uncheck the “Completely Block Access To XMLRPC” checkbox and enable only the “Disable Pingback Functionality From XMLRPC” checkbox. )

Note: Only enable Completely Block Access To XMLRPC:, if you only log in through your website. Enable the other option if you access your website via other means like remote access etc. 

When you enable Completely Block Access To XMLRPC: and you type the following yoursite.com/xmlrpc.php on the browser should see the following message 403 forbidden apparently or something similar depending on how you have set up your website security.

If you don’t see the above forbidden message and you see the following message XML-RPC server accepts POST requests only, that means the xmlrpc.php file is still active and working in your site. That means that for some unknown reason it did not write the correct rules in your .htaccess file.

Note: The above does not apply if you enable the following option Disable Pinback Functionality From XMLRPC:.

=====================================

Troubleshooting XMLRPC

Option 1 ) Disable the following option Completely Block Access To XMLRPC: and save the settings. Log out and then log back in and activate the Completely Block Access To XMLRPC: option again. Type the following yoursite.com/xmlrpc.php in your browser. You should see the following message 403 forbidden apparently.

Note: If the above did not work, carry on to the next option.

=====================================

Option 2 ) FTP into your website and locate your .htaccess file (This file is located at the root of your WordPress install). Download .htaccess file locally to your computer/ laptop. Open the file with a plain text editor like notepad in windows and locate the entry rules listed below. If you don’t see these rules as illustrated below, then copy and the rules below into your .htaccess file. Save the file and upload it back to where you found it “in the root of your WordPress install”. in your server.

#AIOWPS_PINGBACK_HTACCESS_RULES_START
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>
#AIOWPS_PINGBACK_HTACCESS_RULES_END

Type the following yoursite.com/xmlrpc.php in your browser. You should see the following message 403 forbidden apparently.

Note: If the above did not work, carry on to the next option.

=====================================

Option 3 ) Some times your file permissions might be incorrect. Click the following link file permissions to learn more.

If the file permissions link above does not help you, try the following steps.

  • Edit your .htaccess file and remove the plugins entries.
  • Save your .htaccess file and upload again to your server.
  • Reinstall AIOWPS plugin and activate it. Make sure you say Yes to enabling the previous settings. This will write all the rules again to the .htaccess file.
  • Then carry out a test. 

If it is working correctly, it will stop anyone from trying to access your website via the xmlrpc.php file.

=====================================

I hope the above documentation helps you.

If you have any questions please let me know.

Enjoy.

All In One WP Security & Firewall Plugin Tutorial List

I have been working in IT since 1999 and I enjoy the challenges it brings me. I love developing websites with WordPress. I spend a lot of time helping out in wordpress.org forums. I have been writing tutorials since 2011. Now I am learning how to manage my own VPS "Virtual Private Server.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)