xmlrpc.php

They’re likely just “pokes” to see if there’s any site response.

If you don’t need to do use any remote site operations/services, you can disable xmlrpc completely (either in your functions.php, or via plugins).

Definitely disable it. I also rename it and/or delete it from site root.

Don’t get me started on how lame this thing is in being yet another attack vector we all have to deal with, no thanks to WordPress.

I use the plugin “Disable XML-RPC” which seems to play nice with other plugins including Wordfence.

MTN

Thanks for the help MTN and bluebearmedia,

Can you tell me what the purpose of XML-RPC is? If it is able to be disabled, what is its function to begin with?

Thanks,
Daniel

It helps with building applications that do things like help with WordPress admin. It is lame. Send it to trash until you need it, which is probably never.

https://en.wikipedia.org/wiki/XML-RPC

MTN

Hello maestrom,
unless you are using some external services to access your WordPress installation you do not need xmlrpc.php. On Wordfence “Options” page under “Other options” and the setting “Immediately block IP’s that access these URLs” you can enter “xmlrpc.php”. This will cause anyone who tries to request that URL to be blocked.

xmlrpc.php can be used for logging in. This is why malicious users are requesting it.

Thank you wfasa and mountaingui2. While we’re on this subject, I am also noticing that my Wordfence plugin has these urls whitelisted:

/favicon.ico
/apple-touch-icon*.png
/*@2x.png

I am not sure why this should be the case and what the latter two need to be whitelisted for, specifically? I noticed that the apple touch icon seems to be visited a lot, as well..

Any help would be appreciated!
Daniel

Hello maestrom,
it’s because these are often requested by devices but not present on sites so they are there to prevent you from getting lots of pointless 404s.