Problem Description
- You use a service or application that utilizes the WordPress XML-RPC
- You get a 403 Forbidden error when attempting to access xmlrpc.php
- You use Open Live Writer and cannot publish content directly to your site
- The WooCommerce app is unable to access your store
Problem Resolution
As the majority of WordPress users do not utilize XML-RPC and because it is frequently used as a method of attempting to bruteforce WordPress admin passwords, by default as of January 2022 we block access to xmlrpc.php server-wide, but allow access to strictly the IPs of common services, like the JetPack plugin which uses XML-RPC to communicate with the wordpress.com servers.
If you use a popular 3rd party service that utilizes XML-RPC and have found it is blocked, please open a ticket indicating the name of the service you use and the IP addresses that it uses to connect to the server and we'll consider whitelisting them across all of our servers.
How to unblock XML-RPC
Some require access to WordPress XML-RPC from various changing IP addresses (Example: Open Live Writer runs on your computer and connects from whatever your current IP happens to be).
You can unblock XML-RPC for your site by following these steps:
- Use the steps here learn how to access the Plesk File Manager to create a new file
- The file with name '.xmlrpcUnblock' must be created in your web root folder. For those with a single domain/website the webroot folder is typically 'httpdocs'. Do not miss the starting '.' (dot) at the beginning of the file name.
Within 10 seconds of creating that file, you should find all 3rd party services have gained access to WordPress XML-RPC.
If XML-RPC is still being blocked:
Go to your Web application firewall rules and add the following exclusions:
77350458
77350459
77350444
77350445
77350446
77231011
33339
Security Note: if you are on a shared server (standard hosting) or a Managed VPS and/or a VPS with Imunify360 you will still have web application layer firewall protection against bruteforce attacks on WordPress XML-RPC. Those without Imunify360 or on an unmanaged server will not have any inherent XML-RPC protection.
Other Software To Check
If xml-rpc is still blocked even after making the above change, there are numerous plugins that could be responsible. Look for the following:
- Any security plugin like WordFence or iThemes Security should have the option to block/allow XML-RPC. If you don't see the option try disabling the plugin, even just temporarily, to see if the issue persists
- Docket Cache has an option to block XML-RPC that's enabled by default
- Really Simple SSL plugin blocks XML-RPC by default
- A straight-up XML-RPC blocking plugin like "Disable XML-RPC-API" or " stop XML-RPC Attacks" - search your plugins list for xml-rpc to find them and deactivate them
- Check your .htaccess file - sometimes plugins that were previously installed do not clean up after themselves and leave their configurations in .htaccess, such as xml-rpc blocking configs
