During the setup of EdBinx, Jetpack Plugin by WordPress kept throwing me a site_inaccessible 403 Forbidden Error for XMLRPC.php file every time I tried connecting it to the wordpress.org. First, I tried solving the issue by going through posts at the WordPress forum and other that came in the Google search, however, in the last I added a new rule to my .htaccess file and everything worked like a charm.
What was happening?
Jetpack plugin requires a connection for the wordpress.org so that it can activate it on your account. But somehow it had some issues in the connectivity and kept me throwing this message:
Your website needs to be publicly accessible to use Jetpack: site_inaccessible
Error Details: The Jetpack server was unable to communicate with your site [HTTP 403]. Ask your web host if they allow connections from WordPress.com. If you need further assistance, contact Jetpack Support: http://jetpack.me/support/
Well, it says my web site should be publicly accessible, and then how I can open the URL, land on the homepage and do the operation. The answer was this little thing called as XMLRPC.PHP file residing in the WWW directory of your website.
What is XML-RPC?
XML-RPC.php is a file dealing with the Remote Procedure Call or RPC on your server, and it is crucial for a WordPress website to functional properly. It allows the operating systems running in a different environment make procedure calls over the Internet, here procedure calls means that there exists a software in another corner of the Internet web and is calling a function of another software in some remote location. There are functions in it that are helpful in writing XML-RPC clients and servers. Apart from that there are several functions in it which you can use. Check out the complete list here.
Here my XML-RPC.php file wasn’t properly receiving the traffic it should and so Jetpack resulted in this error.
What had I tried to fix the problem?
As soon as I saw a post on the WordPress that had the same issue as mine, I jumped on it and quickly tried the solution. I was in a real hurry to do this.
The author of this plugin said that I should first check the if there are any security plugins blocking the access – Nopes there were no such plugins. Next there a person said that after commenting out a line in the .htaccess file, everything worked perfectly for him. See the section how to access the .htaccess file at the end of this post.
The code that the person commented out to disable:
#deny from all
My .htaccess file didn’t have these. To comment out, you only put a hash symbol in front of each line as I did in the above code. The reason commenting out is useful is that it helps you make the code inactive as well as preserve it in case you need it again. Next thing I did was I tried installing the WordPress and Jetpack again. I disabled and enabled my plugins again as well – none worked.
Then I found this solution asking me to access my .htaccess file and edit the code in it. By putting a new rule saying that I should I add this to the file:
No luck here as well and I ended with a 500 INTERNAL SERVER ERROR with this code.
Next I landed upon a very scary code, and I should warn you that YOU SHOULD NOT USE IT.
Allow from all
YOU SHOULD NOT USE THIS CODE, I have discussed some of the SECURITY ISSUES related to the XML-RPC file below and you should not add any such code to .htaccess otherwise you will end up having a compromised website.
What was my final solution to it?
After getting no proper solution from any of these methods mentioned above, I edited the .htaccess file and added a new rule to it allowing the access to the XML-RPC file only from the Jetpack.
Allow from 184.108.40.206
Allow from 220.127.116.11
Deny from All
So here it is, I was able to have my connections to the Jetpack work successfully and everything was working good and beautiful. Now I will tell you how to do that.
First, How to access the .htaccess file?
I have discussed the .htaccess file later at the end of this article. You can check that as well. Alright, first of all, you have to sign-in into your Cpanel by logging into your account at your service provider or by directly hitting the URL of your website: www.YOURWEBSITE.com/cpanel. Enter your details and you are good to go.
So as soon you login into your account you will see a File Manager under the Files section. Click on the File Manager, and it will show you a window with the options shown in the image below.
Check the Web Root (public_html/www) and put a mark on the Show Hidden Files (dotfiles), .htaccess is a dot file and is usually hidden in the file manager.
Next, a new window in your browser will open up showing you the list of the files. All you need to do is select the .htaccess file and click on the edit as shown in the image below.
After that, a new window will appear, and all you need to do is just click Edit.
Another tab will open, and all you need to do is add the code and hit Save. You are done, and your Jetpack will work like a charm.
Now let me take few more moments from your time and explain you the terms I used and also the security of the XML-RPC.
What is the .htaccess file?
.htaccess is a file for the Hyper-Text (HT from the HTML) used to manage the directory level configuration of the file system on a server. Not just in the root, but other services that you might be using can have their own .htaccess file. Such as the Yoast SEO plugin creates a .htaccess file for the control and access to directories.
This file is often used to override a global setting for a particular subset of files or a single file. What I just did above is a perfect example how .htaccess can be used to add new rules and allow the access.
Apart from that, this particular file can also help you add additional functionalities such as password requirement while accessing the content, or override the server configuration.
Why is there a dot in it?
In UNIX and Linux operating systems (We can also refer them to as *NIX systems) file name having a “.” at the start means that the file isn’t visible to the file system under ordinary situations, however, you can force the file manager to view such data by asking it show the hidden files. Apart from that, these files are also the one that store configuration of the system component. Such as our .htaccess file is storing the configuration of a particular rule applied a file/directory.
What are security issues with XML-RPC?
I already did a section on What is XML-RPC in this post, now let’s take a closer look and see what are security issues in it and how a misconfiguration can lead to a compromised website.
XML-RPC is responsible for allowing a software system make the procedure or function calls on other system with a HTTP-POST method. This allows you to post on WordPress via eMail and helps Jetpack to communicate with the WordPress.
How it can be abused?
There is a service called as Pingback, which tells you that some Site XYZ has added a link to one of your posts in one its articles. It increases the credibility of your website and also helps the other person by adding more information to the content.
Hackers can abuse this as by sending a non-existing page to load several times, which consumes an enormous amount of server resources required by the readers or the users of that website. Eventually, the website is down, and no one gets to see pages on it.
How you can protect yourself?
First thing you can do is ask the service provider to block access to the XML-RPC.php file and they will do it. Don’t worry it will not break your Jetpack or any other service running on your service.
The code I gave you is indeed secure as well, let’s examine it:
Allow from 18.104.22.168
Allow from 22.214.171.124
Deny from All
The Deny from All lines restricts anyone else to access the file and other two Allow from 126.96.36.199 and Allow from 188.8.131.52 are from a reliable source – Jetpack. So dont worry, both will work just fine without breaking your security.
Another thing you can use it is to install a plugin called as Secure XML-RPC. It can help you secure your WordPress.
Often you will not see such issues with the Jetpack, but if you do, you can follow the above methods, out of them one worked for me. But we must be very careful here, as we are editing one of the most important file .htaccess and working on a file XML-RPC that if irresponsibly handled can break the security.
I have explained everything to you, so make sure before editing your .htaccess file, you must be take backup of it.
Comment if you have any queries, and share for more people to know it.
Later I posted this solution in WordPress Support Forums, Jetpack Plugin author suggested that their IP or Internet Protocol addresses changes over the time and the issue will appear soon after the IPs are updated. So, the final solution to it would be Allowing From All and then using a Plugin called Disable XML-RPC Pingback to protect the website.
So the new code would be:
Allow from all
Along with a Plugin here: Disable XML-RPC Pingback.
Please DO NOT use this .htaccess code without the plugin.
I used this code on my site .
Allow from all
How can it be i try all ways but this code is ok for me pls explain me
Your code is allowing anyone on the Internet to access the file, which is wrong. Malicious people visiting your website can easily abuse it. So if you are allowing access to RPC-XML with .htaccess make sure it is restricted to the sources you want.
If this satisfies your query, please let me know.
yes as you told.
how can i fix.
What exactly you want, let me know please.
nice article ….. it solved my issue. Thank you
Thank you from Argentina
Hope that helps.
Cat says, Thanks!
Just wanted to let you know that it solved my problem. Jetpack couldn’t connect after my site got a new ip address. In my case I deleted the code from .htaccess after Jetpack connected and it keeps working.
Finally, the true savior. After google-ing for a few hours only this method working with me. I rarely comment on something but when i do it worthy.
Thank You! Your comment makes it even better.
Worked! Thank you so much!
Gracias !!! Funciona el update !!! (Thank you !!! It works update !!!)
Thank You Dear EdBinx! 🙂
Thank you Tushar, your solution worked!
I’ve tried everything from disabling all plugins to whitelisting my ip and this is the only solution that worked.
It’s not working for me on namecheap. I think calling the namecheap support is the final solution.
Delwar Jahan, try that manual way with this IP: 184.108.40.206
Allow from 220.127.116.11
Deny from All
This solution not work.
Please contact Namecheap support to add your xmlrpc.php to whitelist in your domain.
This worked for me, Tushar
Thank you so much. You’re a lifesaver
“Jetpack Plugin author” is a massive moron
Allow from all
Worked for me 🙂 Thank you
It Is Not Working For me.I used all the ways mentioned here but getting the same problem again.
Check with your service provider once and see if they have whitelisted your XMLRPC.php file or not.
Thanks! This article saved me 🙂 my site works well again!
Thank you so much.!!
the update worked for me
thanks for posting the code, that was helpful! I noticed that it’s only necessary to put in this code snippet for connecting to jetpack. As soon as it’s connected, you can delete it.
Using both your solution and the “final” solution here resulted in 500 errors after adding the code to the .htaccess file. My server has reassured me that nothing on their end is blocking xmlrpc.php.
500 error on your website means there’s some mistake in the .htaccess file. Do you mind sharing the contents at firstname.lastname@example.org? Just put your name in the subject.
I tried this but it didn’t work. Any more suggestions please?
It’s working now. Thanks
Thanks for this putting this up. I used the update and it worked!
Keep up the good work.
I am glad that it helped. Thank You!
Hey man, that was really helpful, I’m very grateful… It fixed both my inability to login to the wordpress app and jetpack… God bless.
please i have tried all mentioned in this post and it doesnt seem to work for me, what am i doing wrong?? please help me
I think you will have to contact your server provider to fix this issue.
I have but they said they havent blocked anything.
please help.. I haven’t been ablr to fix this for 3 days now. do you need any information to help?
Drop me an email at email@example.com and I will try to help you fix the issue. 🙂
I just sent you an email, thanks in advance
That really great idea worked for me.. thanks for sharing these tips and tricks !!
Thumbs up !
OMG i finally got the solution here… Thank you for sharing. Admin kindly review my blog.
Great ! thanks…now jetpack works !
ممنون Thanks a lot
i’m from Iran and this tutorial is very useful for and resolve my http 403 error..
thanks again …. 🙂
Oh, God, thank you.
You save my life. Your steps are so complete
I’m newbie, and I was going crazy about it.
But, Is it completely safe to allow all IP and just block it by disable xml rpc pingback plugin?
Is there left any vulnerable condition to exploit?
or any other issues?
Thank you for appreciating the work.
To answer your question, yes, it will protect you from a majority of the attacks targeting pingbacks.
Wow! After 42 hours of frustration and headache due to Jetpack not connnecting, i finally found your post which i reluctantly clicked though!
But at the end of it all, it made all the difference.. Now am HAPPY!!!
Thank You Soo Much!!!!
You just saved my life. I don’t have words to thank you, if you’ll ever manage to come to Rome, Italy, there is a nice beer waiting for you!!! 🙂
Thank you! You just made my day 🙂
Thank you so much! The new code worked!
then what about the 405 error on xmlrpc?
I get that error as a broken link.
I need your help
Thanks a lot for all the explanations and for sharing it (your ending UPDATE saved my day) !
All the best !
Hi! I was puzzled for this error and you saved me! Thank you very much!