Technical Debt: XML-RPC endpoint exposed on PayPerFax

Resolved 💬 2 comments Opened Dec 13, 2025 by adam-marash Closed Dec 13, 2025

Summary

WordPress exposes /xmlrpc.php by default, which is a legacy API endpoint that presents security risks and is not needed for our use case.

Current State

  • Created wp-content/mu-plugins/cleanup-head.php to remove the RSD discovery link from <head>
  • This removes the <link rel="EditURI" href="/xmlrpc.php?rsd" /> tag from all pages
  • However, the endpoint itself is still accessible and functional

Remaining Risk

The /xmlrpc.php endpoint is still reachable and can be targeted for:

  • Brute force login attempts (xmlrpc.php allows multiple login attempts per request)
  • DDoS amplification via pingback
  • Server resource exhaustion

Recommended Actions

  1. Block at server level (preferred): Add nginx/Apache rule to return 403 for /xmlrpc.php
  2. Or disable via WordPress: Add add_filter('xmlrpc_enabled', '__return_false'); to the mu-plugin
  3. Or use a security plugin: Wordfence, Sucuri, etc. can disable XML-RPC

Priority

Low - the discovery link is removed, reducing automated scanning risk. Full remediation can be scheduled during regular maintenance.

References

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗