WordPress 2.6 to disable XML-RPC out of the box
Peter Westwood, a WordPress developer, recently announced a planned change that will disable Atom and XML-RPC publishing by default. I’m thrilled at this direction: many of my corporate and professional installations of WordPress require significant tweaking to disable remote publishing.
In the meantime, I’ve actually had no ill effects from removing xmlrpc.php from the default WordPress installation.
Another tweak I usually employ is applying a .htaccess file to the wp-admin directory. Using a set of Allow/Deny directives, you can restrict access to your administration panel to local machines only. For example, creating a new file /wp-admin/.htaccess:
Order allow,deny
Allow from 192.168.1
Deny from all
This example file ensures that only users coming from 192.168.1.x addresses can access the administration dashboard. It’s very useful because regardless of password compromise, only internal users will ever be able to access the login prompt.
Another solution that would still allow remote access by trusted users would include a dual-layered authentication system. Using the htpasswd utility and the .htaccess tutorial from Apache, create a separate login to access the administration panel. This prompt will appear before the default WordPress login. Roaming web spiders and malicious bots will have a more difficult time accessing the wp-admin directory with appropriate access restrictions in place.
