Late last week the Sucuri security blog announced that have seen a large uptick in brute force attacks on WordPress sites using XML-RPC and today we’ll go over 3 very quick and easy ways to turn off XML – RPC on all your MainWP Child sites.
The Sucuri Blog goes into great detail on how the attack works and I recommend you check that out if you want the full details.
MainWP does not communicate with your Child sites through XML-RPC so it is safe to turn it off without affecting MainWP usability . However some plugins, such as Jetpack, do in which case you will want to verify how your site will be affected before turning it off.
If you have the iThemes Security Extension:
- Go to Extensions –> iThemes Security Extension –> Settings
- Find the WordPress Tweaks section and locate XML-RPC
- Select either “Only Disable TrackBacks/Pingbacks” or “Completely Disable XMLRPC”
- Save all Changes
This turns on that iThemes setting for all your Child sites
If you have the Wordfence Extension:
Edit: According to the link provided Dr.Wayne Buckhanan from the Wordfence Blog these steps are irrelevant since their plugin stops the attack automatically WordPress XML-RPC Brute Force Attacks with multiple logins.
we did not need to modify Wordfence to provide protection against this attack. It simply protects you out of the box.
Note: this one did take a bit to find so if you have an easier way using Wordfence please leave it in the comments
- Go to Extensions –> Wordfence Extension –>Wordfence Settings
- Find Security Level
- Select Level 4: Lockdown
- Save Settings
This turns on that Wordfence setting for all your Child sites
Install a plugin to block XML-RPC
- Go to MainWP Dashboard –> Plugins –> Install (/wp-admin/admin.php?page=PluginsInstall)
- Search “Disable XML-RPC” in the Search field
- Be sure to select “Activate plugin after installation”
- Select all the sites you want to install it on from the right
- Press install now for Disable XML-RPC
This twill turn off XML-RPC on all your Child Sites