How to Secure WordPress XML-RPC while allowing Jetpack to work

Share this:

If you run a self-hosted WordPress site and are using Jetpack to mange it, you will probably have a love hate relationship with WordPress XML-RPC. It is a common point of bot attacks targeting WordPress backends. Thus, it is important to lockdown and secure WordPress XML-RPC while still allowing Jetpack to be able to access it to work.

Here’s how I’ve done it.

1. Secure WordPress XML-RPC

My guide here is specific to WordPress sites running on Apache web servers. Basically, what we need to do is to lock down the access to the xmlrpc.php file to a specific list of IP addresses that Jetpack uses. Thankfully, Jetpack updates and publishes this list of IPs here: https://jetpack.com/support/how-to-add-jetpack-ips-allowlist/. The IP is also listed here in this text file: https://jetpack.com/ips-v4.txt. In addition to that list, if your host is also protected by Cloudflare, you would also need to add this CIDR range: 192.0.64.0/18

Here’s how I’ve edited the site’s .htaccess file to lock down the access to the xmlrpc.php file to secure WordPress XML-RPC.

# Allow only Jetpack to XML-RPC
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
# jetpack CloudFlare IPs
allow from 192.0.64.0/18
# https://jetpack.com/ips-v4.txt
allow from 122.248.245.244/32
allow from 54.217.201.243/32
allow from 54.232.116.4/32
allow from 192.0.80.0/20
allow from 192.0.96.0/20
allow from 192.0.112.0/20
allow from 195.234.108.0/22
ErrorDocument 403 ":p"
</Files>

You can directly edit the file on your host or use any WordPress plugins to edit and add the lines to the .htaccess file.

For the ErrorDocument, if you remove it, it would default to Apache server’s standard 403 Forbidden access page. If you want, you can redirect it to a standard error page, or, as I’ve done it, simple return a simple string back to the requester.

Custom 403 error page showing ":P" string when accessing xmlrpc.php

2. Use Cloudflare to further secure access to xmlrpc.php

If you are using Cloudflare, you now have access to 5 custom WAF rules even on the free plan! You can use one of it to ensure only traffic from Jetpack can access the xmlrpc.php link right at the network edge. To configure this WAF rule, go to the Security β†’ WAF settings at Cloudflare. Click on Create rule to add a new rule to secure you WordPress XML-RPC interface.

Cloudflare custom WAF rule page

Give the rule a name, e.g: Allow only Jetpack to xmlrpc.php

Then, add two following match criteria: –

  1. Field: URI Full
    • Operation: contains
    • Value: xmlrpc.php
  2. Field: AS Num
    • Operation: does not equal
    • Value: 2635

Make sure to use the AND condition of both criteria. An interesting point to note here is Jetpack also uses Cloudflare, therefore, we can easily identify the traffic source using their ASN (autonomous system number) which Jetpack’s one is 2635 as noted on their documentation page here.

For the action, set it to Block.

The rule above basically says, if the traffic to a URI containing “xmlrpc.php” is not originating from Jetpack’s list of IPs, block it. Save the rule to deploy it.

Creating a Cloudflare WAF rule to block traffic to xmlrpc.php not originating from Jetpack's AS Number 2635

Cloudflare’s will block access to xmlrpc.php with this rule andyour host will no longer get hit by such malicious traffic.

Cloudflare blocking traffic


If this post has been useful, support me by buying me a latte or two πŸ™‚
Buy Me A Coffee
Share this:

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.