I’m afraid there isn’t a way around it; Jetpack uses XML-RPC for most of its features.
You can, however, enable Jetpack’s Development Mode to be able to use all the Jetpack features that do not require communication with WordPress.com:
http://jetpack.me/support/development-mode/
Plus I have actually blocked xmlrpc on some of my websites myself due to the security issue. I saw the reply on another older thread to enable Askimet
Akismet won’t really help in protecting your XML-RPC file. It is used to filter comments on your site.
I’d recommend using a combination of plugins and services to protect your site’s XML-RPC file from brute force attacks:
- You could start by deactivating XML-RPC’s pingback method. Pingbacks aren’t necessarily useful on your site, but they’re still a potential vector for DDoS attacks:
https://blog.sucuri.net/2014/03/more-than-162000-wordpress-sites-used-for-distributed-denial-of-service-attack.html
Plugins and services like Jetpack do not need pingbacks, so you can deactivate that method without blocking Jetpack.
Here is a plugin that will help you deactivate Pingbacks:
https://wordpress.org/plugins/disable-xml-rpc-pingback/
I believe some security plugins include that option as well. I know iThemes Security does.
- Another potential attack vector is XML-RPC’s system.multicall method:
https://blog.sucuri.net/2015/10/brute-force-amplification-attacks-against-wordpress-xmlrpc.html
To protect yourself against such attacks, you could use plugins or services like Jetpack’s Protect, that offer protection against multicall abuse:
https://jetpack.me/2015/10/12/jetpack-protection-from-brute-force-xml-rpc-attacks/
- A third alternative would be to use a Website Firewall, that will block attacks before they even reach your server. Here are 2 popular ones:
- A fourth option, and maybe something I should have started with, is your hosting provider. The most popular hosting providers out there monitor and protect your site against some XML-RPC abuse. It’s in their best interest as well, to avoid having hackers wasting server resources.
- Finally, if you run your own server, you can look at open source solutions like fail2ban or ModSecurity, that will allow you to block certain patterns of access to the XML-RPC file:
Some hosting providers use similar tools to protect their servers.
I have just come across the issue. However I was previously using JetPack and had it connected with the self-hosted wordpress website. It was running flawlessly. JetPack Site Stats were also being updated which is the most frequent section I used to see after logging into /wp-admin.
But just recently when I tried to connect via WordPress App on Android, it denied access. Then I headed to PC and checked the XML-RPC file, it was there but I couldn’t access it via browser as it was returning 404 error. I was curious that how it could be possible as it was working before when I connected with JetPack.
At this point the JetPack services were still working on my self-hosted website. But as I had also activated the “Manage Site from WordPress.org”, I went over at wordpress.org to see what’s the status. That’s where the site was available but wordpress.org was having issues connecting with it.
[still JetPack services from the self-hosted website were working fine including photon, site stats, custom CSS, etc.]
Now I just wanted to check by reconnecting the JetPack from self-hosted website after disconnecting it. And that’s it. When I tried to reconnect with JetPack, my self-hosted website was no more accessible by JetPack with 404 error as well as the self-hosted website has now lost access to all of the JetPack features.
Assuming that my host suddenly blocked access to XML-RPC, I tried renaming the xmlrpc.php file and using a plugin as suggested here https://apps.wordpress.com/support/#faq-ios-11 but it didn’t work.
I also tried allowing xmlrpc.php in my .htaccess specifically but it also didn’t work.
Is there a way I do not require contacting host for this issue?
Is there a way I do not require contacting host for this issue?
@khurramar I’m afraid there is no other option, as it seems the block was added by your hosting provider.
