Question

Is XMLRPC.php being blocked?

Posted on November 13, 2024
WordPress
Asked by 7fd8eb75f59545bfbcfae58b41f156

I have a droplet that I created with wordpress already installed. Super convenient.

I am trying to utilize jetpack connections for connecting wordpress to facebook. It sees my facebook but errors every connection attempt during setup. Checking google and jetpack support pages, it appears that xmlrpc.php needs to return that its open for posts, but when I try the url it just auto redirects me to my main site.

Seems like xmlrpc is being blocked then. I confirmed its in the folder, so it does exit. How do I unblock it?

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

alexdo

Site Moderator

• November 14, 2024

Hello, @7fd8eb75f59545bfbcfae58b41f156

DigitalOcean will not block xmlrpc.php by default, but this is usually recommended process as part of securing your droplet against attacks.

You can check your virtual config file for any code blocks like:

<VirtualHost>
    <files xmlrpc.php>
      order allow,deny
      deny from all
    </files>
</VirtualHost>

You can check this article here and see if any of the recommneded solutions has been already implemented on your droplet:

https://www.digitalocean.com/community/tutorials/how-to-protect-wordpress-from-xml-rpc-attacks-on-ubuntu-14-04

Regards

Bobby Iliev

Site Moderator

• November 14, 2024

Hey there!

DigitalOcean itself does not block access to xmlrpc.php, so the issue is likely related to your WordPress configuration or a plugin that’s been set up on your Droplet.

Many security plugins (like Wordfence, iThemes Security, or All In One WP Security) will block xmlrpc.php to prevent potential attacks. If you have any of these (or similar) plugins installed, check their settings to see if XML-RPC is disabled. You might need to temporarily disable the plugin to see if that resolves the issue.

If the plugins aren’t blocking it, check your web server settings. Sometimes, there can be configurations in Nginx or Apache that restrict access to xmlrpc.php.

For Nginx: Open your site’s configuration file:

sudo nano /etc/nginx/sites-available/your_domain

Look for a section like this:

location ~* ^/xmlrpc.php$ {
    deny all;
}

If found, remove or comment it out, then reload Nginx:

sudo systemctl reload nginx

For Apache, check your .htaccess file:
```
sudo nano /var/www/html/.htaccess
```
Look for any lines blocking access to xmlrpc.php and remove them.

Let me know if that helps!

- Bobby

KFSys

Site Moderator

• November 13, 2024

Heya,

Check .htaccess for Rules Blocking XML-RPC: Open your .htaccess file and look for any rules that might block or redirect access to xmlrpc.php. If you see any lines specifically blocking xmlrpc.php, you can comment them out by adding a # at the beginning of those lines.
Check the Server Configuration (Apache/Nginx): If you’re using Apache or Nginx, sometimes server configurations are set to block xmlrpc.php for security reasons. Look in your server configuration files for any mention of xmlrpc.php and remove or comment out any lines that restrict access.
Ensure XML-RPC is Enabled in WordPress: In recent WordPress versions, XML-RPC is enabled by default. However, some security plugins disable it. Check any security plugins you have installed and make sure they aren’t blocking xmlrpc.php.
Whitelist XML-RPC in Firewall Settings: If your droplet has a firewall (like UFW on Ubuntu or other security plugins in WordPress), make sure it allows access to xmlrpc.php.
Testing Access to XML-RPC: After making these changes, try accessing https://yourdomain.com/xmlrpc.php in your browser. You should see the message “XML-RPC server accepts POST requests only,” which indicates it’s accessible.