XML-RPC is the core WordPress API that lets users connect to their WordPress blog using third-party apps and services. This system allows users to manage their blogs using WordPress mobile apps or other remote blogging apps. If you do not use any third-party apps or services to manage WordPress, it is recommended to disable XML-RPC in WordPress. By default, XML-RPC is enabled on all WordPress websites.

XML-RPC also brings security issues. Hackers use this file to perform brute-force attacks on your site. This will take your site down if there are a lot of requests. You can use different ways to protect blogs from brute-force attacks. But there is no reason to keep XML-RPC enabled if you are not using it.

Before you disable XML-RPC, you must know that you will not be able to use WordPress apps for publishing blog posts if you disable XML-RPC in WordPress. Some WordPress plugins including Jetpack also use XML_RPC. If you disable it, you may break some of the plugins. Now when you have decided to disable XML-RPC, learn how to disable XML-RPC in WordPress.

Disabling Xmlrpc.php in WordPress

Method 1

The easiest way to disable XML-RPC on your WordPress site is the installation of a plugin. You can install Disable XML-RPC Plugin in your WordPress blog and activate it. This plugin automatically turns off the necessary code to turn off XML

Method 2

There is another way to disable XML-RPC in WordPress.

Open the functions.php file of your WordPress theme. You can get access to this file by using cPanels File Manager or FTP. Add the following code to the file.

add_filter('xmlrpc_enabled', '__return_false');

I recommend people to not add code in functions.php directly but make a site-specific plugin and keep adding all the codes that they want to add in functions.php. If you ever update your theme or change the theme, you will not lose your custom codes added to the theme.

Method 3

You can also disable access to xmlrpc.php file using .htaccess.

Go to the root directory of your WordPress site by using cPanel’s file manager or FTP. The open .htaccess file and add the following code.

<Files xmlrpc.php>
 order deny,allow
 deny from all
 allow from xxx.xxx.xxx.xxx
 </Files>

Replace xxx.xxx.xxx.xxx with an IP address you want to have access to xmlrpc.php. If you do not want any IP address to have access to xmlrpc.php, remove the line completely. Now the code will be like the code below.

<Files xmlrpc.php>
 order deny,allow
 deny from all
 </Files>

How to check if XML-RPC is disabled.

To test if you have successfully disabled XML-RPC, you can install the WordPress Mobile app on your phone. Now try to login into your WordPress website using the credentials. If XML-RPC is disabled, it will notify you by saying “XML-RPC services are disabled on this site.”

Wrap Up

XML-RPC is a nice feature of WordPress that enables remote publishing using apps or other tools. But this also opens a security hole. If you are not using remote publishing, you need to disable it completely to keep your website secure. I have added three different methods to disable XML-RPC in WordPress. You can use any of these methods.