Disable XML-RPC in WordPress

WordPress uses XML-RPC to let users perform a lot of operations on their sites remotely. It lets you access your site using the mobile app for WordPress. You can create a post on your blog remotely using one of the popular weblog clients. They are also used to implement trackbacks and pingbacks which let you link your site to other interesting websites.

Why to disable XML-RPC in WordPress ?

WordPress attacks are exploiting the XML-RPC feature to gain access to sites. So disabling the XML-RPC feature on your site is something that’s worth considering. Here are some security risk due to XML-RPC,

  • DDoS via XML-RPC pingbacks.
  • Brute force attacks via XML-RPC.

How to Disable XML-RPC ?

Some security cautious folks says that while the XML-RPC’s security is not an big issue, it still provides an additional surface for attack if a vulnerability was ever found. Thus, keeping it disabled would make more sense.

Disable WordPress XML-RPC

All you have to do is to paste the following code in functions.php:

add_filter('xmlrpc_enabled', '__return_false');

Alternatively, you can just install the plugin called Disable XML-RPC. All you have to do is activate it. It does the exact same thing as the code above.

Another alternative is to Turn off Allow link notifications from other blogs (pingbacks and trackbacks) on new articles from Settings > Discussion on your dashboard.

disable XML-RPC

Disable WordPress XML-RPC with .htaccess

You have disable the XML-RPC on the above steps but it can still be resource intensive for sites that are getting attacked. In those cases, you may want to disable all xmlrpc.php requests from the .htaccess file before the request is even passed onto WordPress.

Simply paste the following code in your .htaccess file:

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from 123.123.123.123
</Files>

Disabling XML-RPC affect themes/plugins ?

Yes, Some plugins and themes will use XML-RPC to improve their service and use remote call for accessing data from our website like JetPack and BuddyPress.

If you do find a conflict when you disable XML-RPC, your best resource for help is the developer or support forum of the plugin or app that is no longer working.

Thank You !!

Leave a Reply

Your email address will not be published. Required fields are marked *