WordPress Xmlrpc 404

WordPress.org

I’m having an issue where I can post about 5 articles with xmlrpc.php and then WordPress starts returning 404 errors on subsequent xmlrpc.php POSTs.

Apache – the web server – is not reporting the 404 errors in it’s error log. I believe it is being generated by WordPress.

Where could the issue be?

Annoyingly enough, its considered an acceptable “standard” for servers to return a false 404 error instead of 403 Access Denied/Forbidden: https://en.wikipedia.org/wiki/HTTP_404#Phony_404_errors

I don’t know why except Because Security™ but it sure makes debugging difficult.

Considering that it suddenly starts returning 404 after 5 uses, I’d have to suspect some sort of security block.

I would recommend that you check the following:

1) Can you see the /xmlrpc.php file at the root of your WordPress installation when accessing your site via FTP? If you don’t, then please try re-installing WordPress. You can do this by going to the Dashboard -> Upgrades page, then click the “Reinstall WordPress” button.

2) Do you use any security plugins that may block access to this file? If so, could you try to disable them? You might also want to check your site’s .htaccess file for any rules that might be blocking access to the xmlrpc.php file.

3) Does your hosting provider block access to this file? If you don’t find any plugin that may block access to the file on your site, I would recommend that you get in touch with your host.

WordPress.org

XML-RPC WordPress API/Posts

Retrieve a post of any registered post type.

Added in WordPress 3.4.

Parameters

  • string username
  • string password
  • int post_id
  • array fields: Optional. List of field or meta-field names to include in response.

Return Values

  • struct: Note that the exact fields returned depends on the fields parameter.
  • string post_id
  • string post_title 1
  • datetime post_date 1
  • datetime post_date_gmt 1
  • datetime post_modified 1
  • datetime post_modified_gmt 1
  • string post_status 1
  • string post_type 1
  • string post_format 1
  • string post_name 1
  • string post_author 1 author id
  • string post_password 1
  • string post_excerpt 1
  • string post_content 1
  • string post_parent 1
  • string post_mime_type 1
  • string link 1
  • string guid 1
  • int menu_order 1
  • string comment_status 1
  • string ping_status 1
  • bool sticky 1
  • struct post_thumbnail 1 : See wp.getMediaItem.
  • array terms
  • struct: See wp.getTerm
  • array custom_fields
    • struct
      • string id
      • string key
      • string value
      • struct enclosure
        • string url
        • int length
        • string type
          • In the older metaweblog API, the "Introduction" and the "Read More" content for a post were returned in separate fields "description" and "mt_text_more". In the WordPress API, the two values are combined in the single "post_content" field, separated by the tag.
          • 401
          • If user does not have permission to edit the post.
        • 404
          • If no post with that post_id exists.
          • xmlrpc_default_post_fields

            The default set of fields to be returned can be controlled using the xmlrpc_default_post_fields filter. The default value for this filter is:

            xmlrpc_prepare_post

            Immediately before returning the prepared post data, the value is passed through the xmlrpc_prepare_post filter. The filter has three parameters:

            1. The prepared post data about to be returned
            2. The original post data array, see get_post.
            3. The fields parameter value.

            wp.getPosts

            Retrieve list of posts of any registered post type.

            Added in WordPress 3.4.

            Parameters

            • int blog_id
            • string username
            • string password
            • struct filter: Optional.
            • string post_type
            • string post_status
            • int number
            • int offset
            • string orderby
            • string order
          • array fields: Optional. See #wp.getPost.
          • Return Values

            • array
            • struct: See #wp.getPost.
            • Response will only contain posts that the user has permission to edit. Therefore, there may be fewer than filter['number'] posts in the response.

            Supports same filters as #wp.getPost.

            Create a new post of any registered post type.

            Added in WordPress 3.4.

            Parameters

            • int blog_id
            • string username
            • string password
            • struct content
            • string post_type
            • string post_status
            • string post_title
            • int post_author
            • string post_excerpt
            • string post_content
            • datetime post_date_gmt | post_date
            • string post_format
            • string post_name: Encoded URL (slug)
            • string post_password
            • string comment_status
            • string ping_status
            • int sticky
            • int post_thumbnail
            • int post_parent
            • array custom_fields
            • struct
            • string key
            • string value
          • struct terms: Taxonomy names as keys, array of term IDs as values.
          • struct terms_names: Taxonomy names as keys, array of term names as values.
          • struct enclosure
            • string url
            • int length
            • string type
            • any other fields supported by wp_insert_post
            • Return Values

              • string post_id
              • 401
              • If the user does not have the edit_posts cap for this post type.
              • If user does not have permission to create post of the specified post_status.
              • If post_author is different than the user’s ID and the user does not have the edit_others_posts cap for this post type.
              • If sticky is passed and user does not have permission to make the post sticky, regardless if sticky is set to 0, 1, false or true.
              • If a taxonomy in terms or terms_names is not supported by this post type.
              • If terms or terms_names is set but user does not have assign_terms cap.
              • If an ambiguous term name is used in terms_names.
            • 403
              • If invalid post_type is specified.
              • If an invalid term ID is specified in terms.
              • 404
                • If no author with that post_author ID exists.
                • If no attachment with that post_thumbnail ID exists.
                • wp.editPost

                  Edit an existing post of any registered post type.

                  Added in WordPress 3.4.

                  Parameters

                  • int blog_id
                  • string username
                  • string password
                  • int post_id
                  • struct content: See #wp.newPost for valid set of fields. Only needs to contain fields that you wish to modify; all other fields will retain their current values.
                  • You must pass the meta ID to update any existing items in the custom_fields array.

                  Return Values

                  • 404
                  • If no post with that post_id exists.

                  Can also return same errors as #wp.newPost.

                  wp.deletePost

                  Delete an existing post of any registered post type.

                  See wp_delete_post for exact behavior based on post type.

                  Added in WordPress 3.4.

                  Parameters

                  • int blog_id
                  • string username
                  • string password
                  • int post_id

                  Return Values

                  • 401
                  • If the user does not have permission to delete the post.
                • 404
                  • If no post with that post_id exists.
                  • wp.getPostType

                    Retrieve a registered post type.

                    Added in WordPress 3.4.

                    Parameters

                    • int blog_id
                    • string username
                    • string password
                    • string post_type_name
                    • array fields: Optional. List of field or meta-field names to include in response.

                    Return Values

                    • struct: Note that the exact fields returned depends on the fields parameter.
                    • string name
                    • string label
                    • bool hierarchical
                    • bool public
                    • bool show_ui
                    • bool _builtin
                    • bool has_archive
                    • struct supports: Features supported by the theme as keys, values always true. See post_type_supports.
                    • struct labels 1
                    • struct cap 2
                    • bool map_meta_cap 2
                    • int menu_position 3
                    • string menu_icon 3
                    • bool show_in_menu 3
                    • array taxonomies 4

                    1 labels meta-field
                    2 capabilities meta-field.
                    3 menu meta-field.
                    4 taxonomies meta-field.

                    • 401
                    • If the user does not have the edit_posts cap for this post type.
                  • 403
                    • If invalid post type name is specified.
                    • The default set of fields to be returned can be controlled using the xmlrpc_default_posttype_fields filter. The default value for this filter is:

                      wp.getPostTypes

                      Retrieve list of registered post types.

                      Added in WordPress 3.4.

                      Parameters

                      • int blog_id
                      • string username
                      • string password
                      • struct filter: Optional. See get_post_types for filter options.
                      • array fields: Optional. See #wp.getPostType.

                      Return Values

                      • struct: Post type names as keys, post types as values. See #wp.getPostType.
                      • Response will only contain post types for which the user has the edit_posts cap.

                      The default set of fields to be returned can be controlled using the xmlrpc_default_posttype_fields filter. The default value for this filter is:

                      wp.getPostFormats

                      Retrieve list of post formats.

                      Added in WordPress 3.1.

                      Parameters

                      • int blog_id
                      • string username
                      • string password
                      • array filter: Optional.
                      • bool show-supported: Retrieve both the complete list of post formats, and the specific list of formats supported by the current theme.

                      Return Values

                      If filter or show-supported is omitted or false:

                      • struct: keys are the formats, values are the display name for the format.

                      Example response data:

                      If show-supported is set:

                      • struct
                      • struct all: All post formats, in key/value format as described above.
                      • array (of strings) supported: List of post formats supported by the current theme.

                      Example response data:

                      • 403
                      • If the user does not have the edit_posts cap.

                      wp.getPostStatusList

                      Retrieve list of supported values for post_status field on posts.

                      How to Fix Error 405 in xmlrpc.php?

                      What causes error 405 (Method not allowed) for xmlrpc.php?

                      A frustrating error that can occur on any WordPress installation is error 405 related to your xmlrpc.php file. It may show up in your Google webmaster tools or it may actually prevent you from accessing your site. Whatever the outcome it is usually caused by one of the following:

                      Corrupted or changed xmlrpc.php file

                      The best way to solve this issue is to download a fresh version of WordPress from www.wordpress.org and replace your current xmlrpc.php file with the new file from what you have downloaded. Of course backup your site before you start to do this just in case you have any issues. If this does not work then maybe you have a conflict with one of your plugins.

                      Conflicts caused by a plugin

                      Usually this issues is caused by a security plugin, however any plugin could be to blame. If you have access to your website you can turn your plugins off and on in turn through the dashboard to see if you can locate the offender. If however you don’t have access then renaming the wp-plugins folder through FTP will give you access to your site if indeed the issue is with your plugins. Once you have identified the offending plugin you can replace it with an alternative or contact the author for a fix.

                      How to Protect WordPress from XML-RPC Attacks

                      WordPress is the most popular Content Management System. This popularity makes WordPress a perfect target for hackers. The most common attack faced by a WordPress site is XML-RPC attack.

                      Recognizing an XML-RPC Attack

                      1) Randomly “Error establishing database connection” error is displaying on the WordPress site.

                      2) “Out of memory” error in the web console.

                      3) “Cannot open the file no such file/directory” error in web server error log.

                      4) “POST /xmlrpc.php HTTP/1.0” error in webserver access log.

                      What is XML-RPC?

                      WordPress utilizes a remote execution call called XML-RPC that is used to exchange information between computer systems over a network. XML-RPC is a remote procedure call that uses HTTP for transport and XML for encoding. This functionality can be exploited to send thousands of brute force attack in a short time. Hackers try to login to WordPress admin portal using xmlrpc.php with any username/password. Xmlrpc.php allows hackers to guess hundreds of passwords with only 3 or 4 HTTP requests leading to a high database load. Then your WordPress site will randomly go down and parse the error “error establishing database connection”

                      Command to search XML-RPC attack in different Linux distribution

                      For apache on centos:

                      # grep xmlrpc /var/logs/httpd/access.log

                      For apache on Ubuntu:

                      # grep xmlrpc /var/logs/apache2/access.log

                      For cPanel server

                      # grep xmlrpc /home/username/logs/access.log

                      For nginx server:

                      # grep xmlrpc /var/logs/nginx/access.log

                      If the WordPress site is facing attack, then the output of the above command will be similar to

                      “POST /xmlrpc.php HTTP/1.0” 200 674 “-” “Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)”

                      Blocking XML-RPC attack

                      We can block XML-RPC attack in different ways.

                      1) Manually block the xmlrpc in the .htaccess file

                      Here you can deny the access of xmlrpc file from all users. Simply paste the following code in the .htaccess file in the website document root.

                      # Block WordPress xmlrpc.php requests

                      # END protect xmlrpc.php

                      2)Manually block xmlrpc in webserver document root.

                      For Apache paste the code in the configuration file.

                      For Nginx paste the below code in the configuration file.

                      After editing the configuration files you need to restart the webserver in order to enable the changes.

                      3) Installing Jetpack Plugin.

                      Jetpack plugin for WordPress will block the XML-RPC requests. After enabling the jetpack plugin, you will still see the XML-RPC entries in the web server access log. The plugin reduces the load on the database from these malicious logs.

                      Verify Attack diminution

                      After enabling Jetpack plugin, the XML-RPC content is still remaining on the access log of the web server. The plugin reduces the load of the database and the plugin will block the attacking IP addresses. If you manually block the XML-RPC in webserver configuration file or in the .htaccess file, your logs will still show the requests, but the resulting error code will be something other than 200. It will be 403,500 or 404. Then the result is similar to the code below.

                      “POST /xmlrpc.php HTTP/1.1” 403 291 “-”674 “-” “Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)”

                      By reducing the malicious XML-RPC traffic your WordPress site will be more secure and it consumes fewer system resources. As a result, the WordPress site stays online.

                      If you need any further assistance please contact our support department.

                      WordPress for iPhone Forums

                      XMLRPC problem

                      I have been a very happy WordPress iOS app user for some time but about a month ago it stopped working.
                      I wonder if any one can help please, because I have exhausted everything I can think of and found on the web to troubleshoot my issue.

                      First, my website is here: http://www.35mmfrog.com
                      It is a self hosted website, my host provider is using Apache and the latest version of perl/php.

                      When I try to use the iOS app I get an error:
                      Sorry, can’t log in
                      Unable to read the WordPress site on that URL

                      I uninstalled the app, installed it again, tried to add my blog and it still gives me that error.
                      I am using the iOS App v3.3

                      I have followed the instructions found there:
                      http://ios.wordpress.org/faq/#faq_3

                      – My site has XMLRPC enable.
                      – When I looked at the source code for the page I could not find however the EditURI tag
                      – But I still gives me the right XML file and it still gives me the expected sentence: XML-RPC server accepts POST requests only.

                      Nonetheless, this was still not working so I tried the following:
                      1) Enable extra debug mode as stated here:
                      http://dev.ios.wordpress.org/extra-debug/
                      Small problem to be aware though. if you have just reinstall the iOS app, unless you have a blog registered you cannot see the settings option!! so I had to create a wordpress hosted blog (as opposed to my selfhosted site 35mmfrog.com), add it to the iOS app and THEN did I get access again to the settings!
                      By the way, it also confirms that with the wordpress hosted blog the apps work

                      What I saw in the logs:
                      [XML-RPC] ! Expected status code in (200-299), got 404
                      [XML-RPC] ! Expected status code in (200-299), got 406

                      So I tried further fix:
                      2) To edit the xmlrpc.php and remove some lines
                      As per the thread:
                      http://wordpress.org/support/topic/iphone-app-not-connecting/page/2?replies=61
                      I just deleted these lines in the xmlrpc.php file

                      I just left the WordPress line.
                      It still did not work.

                      3) I added the following line into my xmlrpc.php (right after header(‘Content-Type: text/html; charset=utf-8’);

                      I don’t remember where I found that tip but this still did not work.
                      4) I changed to permissions on xmlrpc.php, even going as far as changing to 777 (changed back to 644).
                      Still no luck.

                      5) I have added the following into my theme header.php

                      /xmlrpc.php?rsd" /> as explained there.

                      It is still not working!

                      It is still not working!
                      and below are the logs I am getting from the wordpress apps:
                      2012-12-12 01:20:43 +0000 Sent blogs list (1 blogs)
                      2012-12-12 01:20:49 +0000 viewDidLoad
                      2012-12-12 01:20:51 +0000 viewDidLoad
                      2012-12-12 01:21:11 +0000 checkURL http://www.35mmfrog.com
                      2012-12-12 01:21:11 +0000 [WordPressApi] system.listMethods
                      2012-12-12 01:21:12 +0000 [XML-RPC] ! Expected status code in (200-299), got 404
                      2012-12-12 01:21:12 +0000 [WordPressApi] system.listMethods
                      2012-12-12 01:21:13 +0000 [XML-RPC] ! Expected status code in (200-299), got 406
                      2012-12-12 01:21:13 +0000 [WordPressApi] system.listMethods
                      2012-12-12 01:21:15 +0000 [XML-RPC] ! Expected status code in (200-299), got 404

                      (below I replace the question mark with (question mark) because otherwise I cannot post on this forum! this is mental! I had to break my long post that way as I couldnt find what was stopping me posting in this forum. I am cursed! 😉

                      2012-12-12 01:21:15 +0000 [WordPressApi] system.listMethods
                      2012-12-12 01:21:17 +0000 [XML-RPC] ! Expected status code in (200-299), got 404
                      2012-12-12 01:21:17 +0000 [WordPressApi] applicationWillResignActive:
                      2012-12-12 01:21:23 +0000 applicationDidEnterBackground:

                      I can see now that it sees the RSD tag. when I saw that I thought! great.
                      But then it still gets some errors.

                      I am running out of idea! it is a real shame because that app was making blogging from my iOS device a much better experience.

                      I have tried with another free iOS app and there is the same problem.
                      Anyone can help? please? 🙂
                      B.

                      I wouldn’t edit the xmlrpc.php file at all, that could cause more problems. Have you updated your WordPress install recently? Maybe see if the 3.5 update gets it working again?

                      Ok, I have restored the original xmlrpc.php but still have the problem.
                      I have also upgraded to 3.5 yesterday and it didn’t fix the issue.

                      Not sure what I can do next!

                      That 406 error sounds like an issue with the apache configuration. Let me run some tests to see if I find out what’s going on

                      When Content-Type is specified, the server returns a 404. That’s almost certainly apache doing something funky. Do you have any security related plugins installed? Can you post a list?

                      If no plugins installed:

                      Do you have mod_security or something similar? Can you edit the apache configuration or is it managed by your host?

                      If you can’t configure apache, you should contact with your hosting provider tech support.

                      Some sample requests.

                      Thanks for that!
                      Yes Iam running some security plugins but I have tried last night with:
                      all plugins disabled and I mean all, not just the security ones.
                      I also changed to the theme to the default "twenty twelve" theme.

                      I still got the same issue.

                      I cannot change the apache configuration, only my host provider can.
                      Do you know what I need to ask them to change by any chance?

                      Also. could it have anything to do with .htaccess?
                      Because I can edit that file though.
                      S.

                      Unless you added custom lines to .htaccess, that shouldn’t be it. If plugins are not the issue, there must be something going on with apache.

                      You can tell them you’re having problems accessing your xmlrpc.php file and direct them to this thread for details

                      Thanks Jorge, I am going to contact my host provider and see what they can do.
                      I can confirm it is not a problem with my wordpress setup because I created a brand new wordpress install with a clean database and tried to connect but failed! with all the default settings.

                      By the way, i just checked I cannot find the "remote services" in the settings->writting on that new wordpress install. will check on google as to why it is the case!
                      S.

                      Leave a Reply

                      Your email address will not be published. Required fields are marked *