Jetpack or other plugins can't connect to WordPress

Short version:

In the root of your main FTP account, you'll find an .htaccess file - in this file you'll find something like this:

<Files xmlrpc.php>
    Order Allow,Deny
    Deny from All

You can simply remove this code, and it will allow xmlrpc.php again. But expect increased resource usage and massive bruteforce attacks.


What is xmlrpc.php?

XML-RPC is a RPC protocol that uses XML for communication, it's basically a small API around your application that you can talk to using XML.

xmlrpc.php in WordPress simply calls a bunch of WordPress functions, and it allows you to programtically manage your website and perform certain actions on your WordPress website.

Why is it bad?

xmlrpc.php isn't exactly bad, however it opens up for performing brute force amplification attacks, which uses both a lot of resources, but also increases the risk of your website getting compromised.

WordPress xmlrpc.php implements a function called system.multicall which allows you to perform the same action over and over again, this means an attacker would be able to test thousands of passwords against your WordPress site with only a few amount of calls instead of trying to brute force using wp-login.php

Why do you block it?

We block xmlrpc.php from getting accessed by default on all our hosting plans, we do this because the actual usage of xmlrpc.php are quite minimal, less than 1% of the WordPress sites we host, actually make use of it.
Allowing xmlrpc.php increases the chances for large brute force attacks which is a security concern, but at same time the amount of resources spend processing these xmlrpc.php brute force attacks can be spend better.

So it boils down to security and resource usage.

Every single day we're blocking more than 25.000 brute force attacks coming from xmlrpc.php, each call containing on average about 400 passwords - that's equal 10 million login attempts per day.

Do the blocking affect my site in any way?

If you're using JetPack plugin or the WordPress application your mobile devices, then we advise removing the block, external systems that do make use of xmlrpc.php would have to either be whitelisted by IP, or simply remove the block.

If you're not using a plugin that relies on xmlrpc.php (99% of sites doesn't), then it won't have any issues at all due to the xmlrpc.php block.
xmlrpc.php is an external API endpoint, WordPress itself doesn't use - so your sites functionality won't stop working due to a block of xmlrpc.php

My error log shows it got blocked, is that an issue?

If you look in your "Errors" page in cPanel you might see entries that look similar to the one below:

[Sat Jan 14 02:41:21.751184 2017] [access_compat:error] [pid 416005:tid 140428175173376] [client 176.139.XX.X:63XXX] AH01797: client denied by server configuration: /home/XXXXXXXX/public_html/xmlrpc.php

This error comes from the Apache module "mod_access_compat", it's basically the output from "allow,deny" entries from the block we have. Whenever something goes against a certain restriction, the Apache module will log an error that it blocked a request.
These errors are expected since these brute force attacks happens constantly, and it's just an indicator that a request of any kind to xmlrpc.php got blocked.

  • 56 Users Found This Useful
Was this answer helpful?

Related Articles

Do you offer reseller solutions?

The simple answer is no, we don't. Reseller solutions often bring subpar performance and don't...

Which type of hardware do you use?

We've been changing hardware between servers, so below you'll find an overview of which type of...

How often do you take backups?

We do daily backups of files, databases, SSL certificates, Cronjobs and DNS zones - we currently...

I can't reach my site or email

If you cannot reach your site we advise you to check a site like:...

Which port do you use for SSH?

We use a custom port for SSH, because it prevents a whole lot of automated brute force attacks...