Jetpack or other plugins can't connect to WordPress

Short version:

In the root of your main FTP account, you'll find an .htaccess file - in this file you'll find something like this:

<Files xmlrpc.php>
    Order Allow,Deny
    Deny from All

You can simply remove this code, and it will allow xmlrpc.php again. But expect increased resource usage and massive bruteforce attacks.


What is xmlrpc.php?

XML-RPC is a RPC protocol that uses XML for communication, it's basically a small API around your application that you can talk to using XML.

xmlrpc.php in WordPress simply calls a bunch of WordPress functions, and it allows you to programtically manage your website and perform certain actions on your WordPress website.

Why is it bad?

xmlrpc.php isn't exactly bad, however it opens up for performing brute force amplification attacks, which uses both a lot of resources, but also increases the risk of your website getting compromised.

WordPress xmlrpc.php implements a function called system.multicall which allows you to perform the same action over and over again, this means an attacker would be able to test thousands of passwords against your WordPress site with only a few amount of calls instead of trying to brute force using wp-login.php

Why do you block it?

We block xmlrpc.php from getting accessed by default on all our hosting plans, we do this because the actual usage of xmlrpc.php are quite minimal, less than 1% of the WordPress sites we host, actually make use of it.
Allowing xmlrpc.php increases the chances for large brute force attacks which is a security concern, but at same time the amount of resources spend processing these xmlrpc.php brute force attacks can be spend better.

So it boils down to security and resource usage.

Every single day we're blocking more than 25.000 brute force attacks coming from xmlrpc.php, each call containing on average about 400 passwords - that's equal 10 million login attempts per day.

Do the blocking affect my site in any way?

If you're using JetPack plugin or the WordPress application your mobile devices, then we advise removing the block, external systems that do make use of xmlrpc.php would have to either be whitelisted by IP, or simply remove the block.

If you're not using a plugin that relies on xmlrpc.php (99% of sites doesn't), then it won't have any issues at all due to the xmlrpc.php block.
xmlrpc.php is an external API endpoint, WordPress itself doesn't use - so your sites functionality won't stop working due to a block of xmlrpc.php

My error log shows it got blocked, is that an issue?

If you look in your "Errors" page in cPanel you might see entries that look similar to the one below:

[Sat Jan 14 02:41:21.751184 2017] [access_compat:error] [pid 416005:tid 140428175173376] [client 176.139.XX.X:63XXX] AH01797: client denied by server configuration: /home/XXXXXXXX/public_html/xmlrpc.php

This error comes from the Apache module "mod_access_compat", it's basically the output from "allow,deny" entries from the block we have. Whenever something goes against a certain restriction, the Apache module will log an error that it blocked a request.
These errors are expected since these brute force attacks happens constantly, and it's just an indicator that a request of any kind to xmlrpc.php got blocked.

  • 56 Users Found This Useful
Was this answer helpful?

Related Articles

I can't reach my site or email

If you cannot reach your site we advise you to check a site like:...

Do you offer X software

If we offer something, it will generally be listed on our website under...

How do I find the IP for my hosting account

The IP for your hosting account is listed in the email you got during signup of your account.You...

I can't send email using an external email service

All our infrastructure deployed since the beginning of 2017 and forward, we block the outgoing...

How to install WordPress

Applies to server7, server8, server9, server10, server11, server12, server13 To install...