How To Disable Xml-Rpc In Wordpress

The XML-RPC protocol permits small changes to WordPress from other applications. For example, because of xmlrpc.php, the Windows Live Writer system can immediately upload blogs to WordPress. However, it was previously deactivated by default due to code issues. In short, XML-RPC.php might expose the site to various assaults and other problems. Read below to know how to disable XML-RPC in WordPress.

Fortunately, the creators of this code have long since cleaned up its structure. And it is still a frequently used program. In this article, we’ll teach you how to activate and disable XML-RPC.php. And why it’s vital to know the difference.

What exactly is xmlrpc.php?

XML-RPC is a standard that allows WordPress to communicate with other systems. It accomplished this by standardizing such communications. HTTP serves as the transport mechanism, and XML serves as the encoding mechanism. XML-RPC predates WordPress. It was present in the b2 blogging program, which was forked in 2003 to produce WordPress.

The system’s code is kept in a file named xmlrpc.php in the site’s root directory. But although XML-RPC is mainly outdated, it’s still there. XML-RPC was disabled by default in early versions of WordPress. However, it has been enabled by default from version 3.5.

The app was not running WordPress; instead, it was a separate app interacting with your WordPress site through xmlrpc.php. XML-RPC was used for more than just the mobile app. For example, it facilitated communication between WordPress and other blogging systems.

It enabled trackbacks and pingbacks and powered the Jetpack plugin. In addition, it connects a self-hosted WordPress site to The xmlrpc.php file is no longer utilized for this communication. Because the REST API was incorporated into WordPress core.

The WordPress REST API connects with the WordPress mobile app, desktop clients, other blogging platforms,, and other systems and services. The REST API may connect with a far broader range of systems than xmlrpc.php allows. There is also a great deal more leeway available to you. Because the REST API has surpassed XML-RPC, you should remove xmlrpc.php from your site. Let’s take a look at why.

Why Should You Disable xmlrpc.php?

The primary reason for disabling xmlrpc.php on your WordPress site is that it creates security vulnerabilities and targets attacks. In addition, to interact outside of WordPress, XML-RPC is no longer required. Therefore, there is no need to keep it running. As a result, it’s a good idea to disable it to make your site safer.

If xmlrpc.php is a security risk and no longer performs its function. Why hasn’t it been wholly deleted from WordPress? One of the essential characteristics of WordPress will always be backward compatibility. If your site is well-managed, you know that keeping WordPress and any plugins or themes up to date is critical.

However, there will always be website owners who are reluctant or unable to update their WordPress version. Therefore, they will still require access to xmlrpc.php if they use a version before the REST API.

Let’s take a closer look at the various issues.

Pingback DDoS Attacks Using XML-RPC

Pingbacks and trackbacks were some of the features allowed by xmlrpc.php. These are the notices displayed in your site’s comments when another blog or site connects to your material. The XML-RPC specification enabled this communication. However, it has since been superseded by the REST API (as we saw already).

If you allow XML-RPC on your site, a hacker may launch a DDoS assault on it. By using xmlrpc.php to send a large number of pingbacks to your site in a short period. That might cause your server to get overloaded. And it causes your website to go down.

XML-RPC Brute Force Attacks

XML-RPcC.php transmits the username and password for authentication with each request. Therefore, it is a severe security risk and is not supported by the REST API. In actuality, the REST API utilizes OAuth for authentication. It provides tokens rather than users or passwords.

Hackers might use xmlrpc.php to try to access your site since it sends authentication information with every request. As a result, if you are running an up-to-date version of WordPress. In addition, it communicates with other systems using the REST API. Therefore, it would be best if you disabled xmlrpc.php. However, it isn’t necessary, and it may make your site insecure.

Is xmlrpc.php active on your WordPress website?

The first step is to determine whether xmlrpc.php is active on your WordPress site. It isn’t a straightforward issue of determining whether the file exists. It’s included with every WordPress installation. So it will be there even if XML-RPC is deactivated.

Before removing anything, always make a backup of your site. In this instance, do not just remove the xmlrpc.php file because doing so would damage your site.

Use the WordPress XML-RPC Validation Service to see if xmlrpc.php is enabled on your site. It will examine your website and notify you whether xmlrpc.php is enabled.

Wordpress Xml Rpc Validation Service

Here’s what I found when I ran this site via the service.

Showing Xml Rpc Is Diactivated

It indicates that XML-rpc.php on has been deactivated. So, if you perform the check and find that XML-rpc.php is still active on your site, how can you disable it?

Disable XML-RPC WordPress Using Plugins

Manage XML RPC:

Manage Xml Rpc Plugin

WordPress allows you to perform many things at the code level. However, it is often just faster to utilize the appropriate plugin. Today, we’ll use Manage XML RPC. This plugin is essential. It allows you to enable and disable XML-RPC whenever you want.

To utilize this fantastic little plugin, you must first install it. And then activate it from the plugins tab of your WordPress admin dashboard.

Installing Manage Xml Rpc

After installing and activating the plugin, a new feature named “XML-RPC Settings.” It will appear on the left side of your WordPress admin panel. To launch the plugin, click this link.

Xml Rpc Settings In Dashboard

Suppose you want to disable WordPress’s remote access capabilities. “XML-RPC” should be disabled by checking the “Disable” box. You may uncheck the package at any time to re-enable it.

Click On Disable Xml Rpc Check Box &Amp; Click On Save Changes

Once you’ve made your selections, then, in the bottom left corner of the screen, click “Save Changes.”

NOTE: Manage XML-RPC has the option to deactivate pingbacks. You may also enable and disable the functionality by specifying specific IP addresses. It is helpful if you want the service to function just for specific apps or users based on their IP address.

This plugin allows you to enable or disable XML-rpc.php for the entire site or a few IP addresses. It’s a valuable tool if you want to prevent specific users from using XML-RPC via WordPress.

Below are a few additional plugins that will similarly enable and disable xmlrpc.php

Disable XML-RPC:

Disable Xml-Rpc Plugin

The Disable XML-RPC plugin is a simple solution to prevent remote access to WordPress. With over 60,000 installs, it is one of the most highly regarded plugins. This plugin has assisted many users in avoiding Denial of Service attacks through XML-RPC.

Disable XML-RPC Pingback:

Disable Xml-Rpc Pingback

Disable XML-RPC Pingback is a plugin that allows you to disable XML-RPC pingbacks. Both of these choices are plugins that you should consider installing on your website.

Disabling XML-RPC Using the .htaccess file

Many individuals have had varying degrees of success by disabling xmlrpc.php using the .htaccess file. The code is pretty basic and might be very useful if you don’t want additional plugins.

To use .htaccess to deactivate the xmlrpc.php function in WordPress. Instead, navigate to the root folder of your WordPress website using FTP. Or File Manager within your GreenGeeks account, whichever you prefer.

Click On File Manager

Locate and modify the .htaccess file. This file may be hidden in various cPanel versions. To access .htaccess, you must configure cPanel to see hidden files.

To do so, go to the File Manager’s top right and select “Settings,” then tick the “display hidden files” box. You will now see your .htaccess file if you click Save.

Click On Show Hidden Files &Amp; Save

Add the following code to the .htaccess file:

[ht_message mstyle=”info” title=”” show_icon=”” id=”” class=”” style=”” ]# Block WordPress xmlrpc.php requests

<Files xmlrpc.php>

order deny,allow

deny from all

allow from


Adding Code To .Htaccess

Now click the “Save” button to save the file. It’s as easy as that. Directly, anything distant may be accessed using XML-RPC. PHP will be rejected.

Use of Code in a Site-Specific Plugin

Suppose you want to add functionality to your site without third-party software. Then, a site-specific plugin might be pretty beneficial. It’s a great approach to include Internet snippets in your site without changing a theme template or the functions.php file. To disable the remote access capability, add the following code to your site-specific plugin:

add_filter('xmlrpc_enabled', '__return_false');

The site-specific plugin is saved. It will execute the code as mentioned above and deactivate XMLRPC. However, if you wish to reactivate the functionality, you will need to delete the code.

Have your hosting provider disable xmlrpc.php

Alternatively, if an assault is detected, some hosting providers may deactivate xmlrpc.php. This will result in a 403 error, which will halt the attempt. If you’re doing it yourself, one of the ways listed above is recommended. However, always verify with your hosting provider first.

When Is It Necessary to Enable xmlrpc.php?

There may be times when you should enable xmlrpc.php on your WordPress site. Or when you should not altogether disable it.

They are as follows:

  • You are not using the REST API (recommended but is required in some cases). But you need to interact between your WordPress site and other services.
  • You can’t update WordPress to version 4.4 or higher, so you can’t use the REST API.
  • This might be due to constraints in your hosting configuration (in which case I would change the hosting provider). Or theme or plugin incompatibility (in which case I would replace or update those).
  • You’re collaborating with an external program that can’t use the WP REST API but can use XML-RPC.

That’s all! None of these are mainly compelling reasons to keep the XML-RPC standard enabled. Backward compatibility is the sole reason it’s still in WordPress. And you’d only need it if you’re working with old computers. On the other hand, disabling xmlrpc.php is the best way to keep your site updated and operating with the newest technologies.


The XML-RPC specification was designed before the creation of WordPress. It is a method for WordPress to connect with external systems and applications. It contains intrinsic security vulnerabilities that might expose your site to attack.

You may safely disable xmlrpc.php now that the REST API allows your site to connect with other applications. If you follow the instructions mentioned above, deactivating it will improve the security of your site for sure. These were the better ways to disable XML-RPC WordPress.

Load More Related Articles
Load More By Susana Taylor
Load More In Wordpress

Leave a Reply

Your email address will not be published. Required fields are marked *