During the setup of EdBinx, Jetpack Plugin by WordPress kept throwing me a site_inaccessible 403 Forbidden Error for XMLRPC.php file every time I tried connecting it to the wordpress.org. First, I tried solving the issue by going through posts at the WordPress forum and other that came in the Google search, however, in the last I added a new rule to my .htaccess file and everything worked like a charm.
What was happening?
Jetpack plugin requires a connection for the wordpress.org so that it can activate it on your account. But somehow it had some issues in the connectivity and kept me throwing this message:
Your website needs to be publicly accessible to use Jetpack: site_inaccessible
Error Details: The Jetpack server was unable to communicate with your site [HTTP 403]. Ask your web host if they allow connections from WordPress.com. If you need further assistance, contact Jetpack Support: http://jetpack.me/support/
Well, it says my web site should be publicly accessible, and then how I can open the URL, land on the homepage and do the operation. The answer was this little thing called as XMLRPC.PHP file residing in the WWW directory of your website.
What is XML-RPC?
XML-RPC.php is a file dealing with the Remote Procedure Call or RPC on your server, and it is crucial for a WordPress website to functional properly. It allows the operating systems running in a different environment make procedure calls over the Internet, here procedure calls means that there exists a software in another corner of the Internet web and is calling a function of another software in some remote location. There are functions in it that are helpful in writing XML-RPC clients and servers. Apart from that there are several functions in it which you can use. Check out the complete list here.
Here my XML-RPC.php file wasn’t properly receiving the traffic it should and so Jetpack resulted in this error.
What had I tried to fix the problem?
As soon as I saw a post on the WordPress that had the same issue as mine, I jumped on it and quickly tried the solution. I was in a real hurry to do this.
The author of this plugin said that I should first check the if there are any security plugins blocking the access – Nopes there were no such plugins. Next there a person said that after commenting out a line in the .htaccess file, everything worked perfectly for him. See the section how to access the .htaccess file at the end of this post.
The code that the person commented out to disable:
#deny from all
My .htaccess file didn’t have these. To comment out, you only put a hash symbol in front of each line as I did in the above code. The reason commenting out is useful is that it helps you make the code inactive as well as preserve it in case you need it again. Next thing I did was I tried installing the WordPress and Jetpack again. I disabled and enabled my plugins again as well – none worked.
Then I found this solution asking me to access my .htaccess file and edit the code in it. By putting a new rule saying that I should I add this to the file:
No luck here as well and I ended with a 500 INTERNAL SERVER ERROR with this code.
Next I landed upon a very scary code, and I should warn you that YOU SHOULD NOT USE IT.
Allow from all
YOU SHOULD NOT USE THIS CODE, I have discussed some of the SECURITY ISSUES related to the XML-RPC file below and you should not add any such code to .htaccess otherwise you will end up having a compromised website.
What was my final solution to it?
After getting no proper solution from any of these methods mentioned above, I edited the .htaccess file and added a new rule to it allowing the access to the XML-RPC file only from the Jetpack.
Allow from 188.8.131.52
Allow from 184.108.40.206
Deny from All
So here it is, I was able to have my connections to the Jetpack work successfully and everything was working good and beautiful. Now I will tell you how to do that.
First, How to access the .htaccess file?
I have discussed the .htaccess file later at the end of this article. You can check that as well. Alright, first of all, you have to sign-in into your Cpanel by logging into your account at your service provider or by directly hitting the URL of your website: www.YOURWEBSITE.com/cpanel. Enter your details and you are good to go.
So as soon you login into your account you will see a File Manager under the Files section. Click on the File Manager, and it will show you a window with the options shown in the image below.
Check the Web Root (public_html/www) and put a mark on the Show Hidden Files (dotfiles), .htaccess is a dot file and is usually hidden in the file manager.
Next, a new window in your browser will open up showing you the list of the files. All you need to do is select the .htaccess file and click on the edit as shown in the image below.
After that, a new window will appear, and all you need to do is just click Edit.
Another tab will open, and all you need to do is add the code and hit Save. You are done, and your Jetpack will work like a charm.
Now let me take few more moments from your time and explain you the terms I used and also the security of the XML-RPC.
What is the .htaccess file?
.htaccess is a file for the Hyper-Text (HT from the HTML) used to manage the directory level configuration of the file system on a server. Not just in the root, but other services that you might be using can have their own .htaccess file. Such as the Yoast SEO plugin creates a .htaccess file for the control and access to directories.
This file is often used to override a global setting for a particular subset of files or a single file. What I just did above is a perfect example how .htaccess can be used to add new rules and allow the access.
Apart from that, this particular file can also help you add additional functionalities such as password requirement while accessing the content, or override the server configuration.
Why is there a dot in it?
In UNIX and Linux operating systems (We can also refer them to as *NIX systems) file name having a “.” at the start means that the file isn’t visible to the file system under ordinary situations, however, you can force the file manager to view such data by asking it show the hidden files. Apart from that, these files are also the one that store configuration of the system component. Such as our .htaccess file is storing the configuration of a particular rule applied a file/directory.
What are security issues with XML-RPC?
I already did a section on What is XML-RPC in this post, now let’s take a closer look and see what are security issues in it and how a misconfiguration can lead to a compromised website.
XML-RPC is responsible for allowing a software system make the procedure or function calls on other system with a HTTP-POST method. This allows you to post on WordPress via eMail and helps Jetpack to communicate with the WordPress.
How it can be abused?
There is a service called as Pingback, which tells you that some Site XYZ has added a link to one of your posts in one its articles. It increases the credibility of your website and also helps the other person by adding more information to the content.
Hackers can abuse this as by sending a non-existing page to load several times, which consumes an enormous amount of server resources required by the readers or the users of that website. Eventually, the website is down, and no one gets to see pages on it.
How you can protect yourself?
First thing you can do is ask the service provider to block access to the XML-RPC.php file and they will do it. Don’t worry it will not break your Jetpack or any other service running on your service.
The code I gave you is indeed secure as well, let’s examine it:
Allow from 220.127.116.11
Allow from 18.104.22.168
Deny from All
The Deny from All lines restricts anyone else to access the file and other two Allow from 22.214.171.124 and Allow from 126.96.36.199 are from a reliable source – Jetpack. So dont worry, both will work just fine without breaking your security.
Another thing you can use it is to install a plugin called as Secure XML-RPC. It can help you secure your WordPress.
Often you will not see such issues with the Jetpack, but if you do, you can follow the above methods, out of them one worked for me. But we must be very careful here, as we are editing one of the most important file .htaccess and working on a file XML-RPC that if irresponsibly handled can break the security.
I have explained everything to you, so make sure before editing your .htaccess file, you must be take backup of it.
Comment if you have any queries, and share for more people to know it.
Later I posted this solution in WordPress Support Forums, Jetpack Plugin author suggested that their IP or Internet Protocol addresses changes over the time and the issue will appear soon after the IPs are updated. So, the final solution to it would be Allowing From All and then using a Plugin called Disable XML-RPC Pingback to protect the website.
So the new code would be:
Allow from all
Along with a Plugin here: Disable XML-RPC Pingback.
Please DO NOT use this .htaccess code without the plugin.