Technical security guide for Hovixa VPS users. Learn how to disable XML-RPC to prevent DDoS/Brute-force attacks and lock down server-side file editing to stop malware persistence.
Hardening WordPress: Disabling XML-RPC and Server-Side File Editing
Standard WordPress installations are configured for maximum compatibility, which often leaves "legacy" features enabled that modern sites do not require. Two of the most common vectors for unauthorized access and server resource exhaustion on a Hovixa VPS are XML-RPC (remote procedures) and the Built-in File Editor. Hardening these components significantly reduces your attack surface.
1. Disabling XML-RPC
XML-RPC was originally designed to allow external applications (like the WordPress mobile app) to communicate with your site. However, it is now primarily used by attackers for Amplified Brute-Force Attacks and DDoS reflections. A single XML-RPC request can attempt hundreds of password combinations, bypassing standard login rate limits.
A. The Cleanest Method: Nginx/Apache Level
Blocking XML-RPC at the server level is most efficient because it stops the request before PHP even executes. Add this to your Nginx server block:
# Block access to xmlrpc.php
location = /xmlrpc.php {
deny all;
access_log off;
log_not_found off;
}
B. The WordPress Method: wp-config.php
If you cannot modify server configs, add this to your wp-config.php to shut down the functionality:
add_filter( 'xmlrpc_enabled', '__return_false' );
2. Disabling Server-Side File Editing
By default, WordPress allows administrators to edit theme and plugin PHP files directly from the dashboard (Appearance > Theme File Editor). If an attacker gains administrative access, they can use this feature to inject a Web Shell or malware, gaining permanent control over your VPS.
Implementation:
Add this constant to your wp-config.php file, ideally near the other security definitions:
/** Disable the internal File Editor */
define( 'DISALLOW_FILE_EDIT', true );
Once active, the "Editor" menu items will disappear from the dashboard entirely, forcing all code changes to be made via secure methods like SSH or SFTP.
3. Security Impact Comparison
| Feature | Standard State | Hardened State | Risk Mitigated |
|---|---|---|---|
| XML-RPC | Enabled | Blocked | Brute-force & DDoS Reflection. |
| File Editor | Active | Disabled | Malware injection & Web Shells. |
| Plugin/Theme Installs | Allowed | Conditional | Unauthorized code execution. |
4. Advanced Hardening: DISALLOW_FILE_MODS
If you want to take security a step further, you can use DISALLOW_FILE_MODS. This not only disables the editor but also prevents anyone (even admins) from installing or updating plugins and themes through the dashboard.
define( 'DISALLOW_FILE_MODS', true );
Note: If you enable this, you must use WP-CLI via SSH to manage your updates. This is the gold standard for high-security production environments.
5. Technical Implementation Details
- Jetpack Exception: If you use the Jetpack plugin, it requires XML-RPC to function. Instead of a full block, you may need to whitelist Automattic's IP ranges in your firewall.
- Read-Only Filesystems: Combining
DISALLOW_FILE_EDITwith strict Linux file permissions (chmod 444for config files) creates a "multi-layered" defense that is extremely difficult to breach. - Performance: Disabling XML-RPC reduces CPU spikes caused by bots hitting
xmlrpc.phpthousands of times per hour, ensuring your Hovixa NVMe resources are reserved for actual users.
Sysadmin Advice: After disabling these features, verify the results. Try to visit yoursite.com/xmlrpc.php; if you see a 403 Forbidden error, the hardening is successful.
