How to Secure WordPress XML-RPC while allowing Jetpack to work
If you run a self-hosted WordPress site and are using Jetpack to mange it, you will probably have a love hate relationship with WordPress XML-RPC. It is a common point of bot attacks targeting WordPress backends. Thus, it is important to lockdown and secure WordPress XML-RPC while still allowing Jetpack to be able to access it to work.
Here’s how I’ve done it.
1. Secure WordPress XML-RPC
My guide here is specific to WordPress sites running on Apache web servers. Basically, what we need to do is to lock down the access to the xmlrpc.php file to a specific list of IP addresses that Jetpack uses. Thankfully, Jetpack updates and publishes this list of IPs here: https://jetpack.com/support/how-to-add-jetpack-ips-allowlist/. The IP is also listed here in this text file: https://jetpack.com/ips-v4.txt. In addition to that list, if your host is also protected by Cloudflare, you would also need to add this CIDR range: 18.104.22.168/18
Here’s how I’ve edited the site’s .htaccess file to lock down the access to the xmlrpc.php file to secure WordPress XML-RPC.
# Allow only Jetpack to XML-RPC <Files xmlrpc.php> Order Deny,Allow Deny from all # jetpack CloudFlare IPs allow from 22.214.171.124/18 # https://jetpack.com/ips-v4.txt allow from 126.96.36.199/32 allow from 188.8.131.52/32 allow from 184.108.40.206/32 allow from 220.127.116.11/20 allow from 18.104.22.168/20 allow from 22.214.171.124/20 allow from 126.96.36.199/22 ErrorDocument 403 ":p" </Files>
You can directly edit the file on your host or use any WordPress plugins to edit and add the lines to the .htaccess file.
For the ErrorDocument, if you remove it, it would default to Apache server’s standard 403 Forbidden access page. If you want, you can redirect it to a standard error page, or, as I’ve done it, simple return a simple string back to the requester.
2. Use Cloudflare to further secure access to xmlrpc.php
If you are using Cloudflare, you now have access to 5 custom WAF rules even on the free plan! You can use one of it to ensure only traffic from Jetpack can access the xmlrpc.php link right at the network edge. To configure this WAF rule, go to the Security → WAF settings at Cloudflare. Click on Create rule to add a new rule to secure you WordPress XML-RPC interface.
Give the rule a name, e.g: Allow only Jetpack to xmlrpc.php
Then, add two following match criteria: –
- Field: URI Full
- Operation: contains
- Value: xmlrpc.php
- Field: AS Num
- Operation: does not equal
- Value: 2635
Make sure to use the AND condition of both criteria. An interesting point to note here is Jetpack also uses Cloudflare, therefore, we can easily identify the traffic source using their ASN (autonomous system number) which Jetpack’s one is 2635 as noted on their documentation page here.
For the action, set it to Block.
The rule above basically says, if the traffic to a URI containing “xmlrpc.php” is not originating from Jetpack’s list of IPs, block it. Save the rule to deploy it.
Cloudflare’s will block access to xmlrpc.php with this rule andyour host will no longer get hit by such malicious traffic.
If this post has been useful, support me by buying me a latte or two 🙂