trellis-disable-xml-rpc

Disable WordPress XML-RPC on Trellis sites.

• Goal
• Why disable WordPress XML-RPC?
• Requirements
• Installation
• Known Issues
  • Incompatible Plugins
• FAQs
  • Can I use this on managed hosting?
  • It looks awesome. Where can I find some more goodies like this?
  • This isn't on wp.org. Where can I give a ⭐️⭐️⭐️⭐️⭐️ review?
• Testing
  • Syntax Check
• Author Information
• Feedback
• Change log
• License

Goal

Deny all requests to WordPress XML-RPC (i.e: /wp/xmlrpc.php) by Nginx.

Why disable WordPress XML-RPC?

• Kinsta: What is WordPress XML-RPC and How To Stop an Attack
• WPMU DEV: XML-RPC and Why It’s Time to Remove it for WordPress Security
• Sucuri: New Brute Force Attacks Exploiting XMLRPC in WordPress
• Incapsula: WordPress Default Leaves Millions of Sites Exploitable for DDoS Attacks
• LittleBizzy: How (And Why) To Disable WordPress XML-RPC

Requirements

• Trellis 17c26fc or later
• Ansible v2.6 or later

Installation

Add this role to requirements.yml:

# requirements.yml
- src: https://github.com/ItinerisLtd/trellis-disable-xml-rpc
  version: 0.2.0 # Check for latest version!

Run the command:

➜ ansible-galaxy install -r requirements.yml --force

Add the role into dev.yml and server.yml, immediately after role: wordpress-setup:

roles:
  # Some other Trellis roles ...
  - { role: wordpress-setup, tags: [wordpress, wordpress-setup, letsencrypt] }
  - { role: trellis-disable-xml-rpc, tags: [nginx, wordpress, wordpress-setup] }
  # Some other Trellis roles ...

Then, re-provision as usual:

# https://roots.io/trellis/docs/local-development-setup/
➜ vagrant reload --provision

# https://roots.io/trellis/docs/remote-server-setup/
➜ ansible-playbook server.yml -e env=<environment>

Known Issues

Incompatible Plugins

Unfortunately, some plugins still relying on WordPress XML-RPC:

• Jetpack

FAQs

Can I use this on managed hosting?

No, you can't use this on managed hosting such as Kinsta or WP Engine.

You can disable WordPress XML-RPC by filters:

• xmlrpc_enabled - The name is misleading!
• xmlrpc_methods
• xmlrpc_element_limit

Or, just use our plugin - itineris-disable-xml-rpc

It looks awesome. Where can I find some more goodies like this?

• Articles on Itineris' blog
• More projects on Itineris' GitHub profile
• Follow @itineris_ltd and @TangRufus on Twitter
• Hire Itineris to build your next awesome site

This isn't on wp.org. Where can I give a ⭐️⭐️⭐️⭐️⭐️ review?

Thanks! Glad you like it. It's important to make my boss know somebody is using this project. Instead of giving reviews on wp.org, consider:

• tweet something good with mentioning @itineris_ltd
• star this Github repo
• watch this Github repo
• write blog posts
• submit pull requests
• hire Itineris

Testing

Syntax Check

➜ ansible-playbook -i 'localhost,' --syntax-check tests/test.yml

Author Information

trellis-disable-xml-rpc is a Itineris Limited project created by Tang Rufus.

Special thanks to the Roots team whose Trellis make this project possible.

Full list of contributors can be found here.

Feedback

Please provide feedback! We want to make this library useful in as many projects as possible. Please submit an issue and point out what you do and don't like, or fork the project and make suggestions. No issue is too small.

Change log

Please see CHANGELOG for more information on what has changed recently.

License

trellis-disable-xml-rpc is released under the MIT License.