Technical Debt: XML-RPC endpoint exposed on PayPerFax
Resolved 💬 2 comments Opened Dec 13, 2025 by adam-marash Closed Dec 13, 2025
Summary
WordPress exposes /xmlrpc.php by default, which is a legacy API endpoint that presents security risks and is not needed for our use case.
Current State
- Created
wp-content/mu-plugins/cleanup-head.phpto remove the RSD discovery link from<head> - This removes the
<link rel="EditURI" href="/xmlrpc.php?rsd" />tag from all pages - However, the endpoint itself is still accessible and functional
Remaining Risk
The /xmlrpc.php endpoint is still reachable and can be targeted for:
- Brute force login attempts (xmlrpc.php allows multiple login attempts per request)
- DDoS amplification via pingback
- Server resource exhaustion
Recommended Actions
- Block at server level (preferred): Add nginx/Apache rule to return 403 for
/xmlrpc.php - Or disable via WordPress: Add
add_filter('xmlrpc_enabled', '__return_false');to the mu-plugin - Or use a security plugin: Wordfence, Sucuri, etc. can disable XML-RPC
Priority
Low - the discovery link is removed, reducing automated scanning risk. Full remediation can be scheduled during regular maintenance.
References
- WordPress XML-RPC Security
- Current mu-plugin:
wp-content/mu-plugins/cleanup-head.php
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗