Tutorials

Why and How to Disable WordPress XML-RPC Completely

Learn why XML-RPC is a security risk and how to disable it safely. Protect your WordPress site from brute force and DDoS attacks through XML-RPC.

M
Marcus Johnson
5 min read
1,689 views
Disabling WordPress XML-RPC

XML-RPC is one of the most exploited WordPress features. Originally designed for remote publishing, it's now primarily used by attackers for brute force attacks and DDoS amplification.

What is XML-RPC?

XML-RPC (xmlrpc.php) is a remote procedure call protocol that allows:

  • Remote publishing from apps
  • Pingbacks and trackbacks
  • Jetpack functionality
  • Mobile app connections

Why XML-RPC is Dangerous

Brute Force Amplification

The system.multicall method allows trying hundreds of passwords per request:

  • Single request can test 500+ passwords
  • Bypasses login attempt limiting
  • Much faster than normal brute force

DDoS Amplification

Pingback requests can be weaponized:

  • Attacker sends pingback requests
  • Your server makes requests to target
  • Thousands of WordPress sites become attack tools

Information Disclosure

XML-RPC can reveal:

  • Valid usernames
  • WordPress version
  • Plugin information

Do You Need XML-RPC?

You DON'T Need It If:

  • You publish from the dashboard
  • You don't use Jetpack
  • You don't use mobile apps for publishing
  • You don't use remote posting tools

You MIGHT Need It If:

  • You use Jetpack (some features require it)
  • You use official WordPress mobile apps
  • You use third-party posting apps

How to Disable XML-RPC

Method 1: WP Folder Shield (Recommended)

  1. Navigate to WP Folder Shield > Settings
  2. Find "Disable XML-RPC" option
  3. Enable it
  4. Save changes

XML-RPC is completely blocked. Requests return 403 Forbidden.

Method 2: Filter Hook

add_filter('xmlrpc_enabled', '__return_false');

Add to theme's functions.php or custom plugin.

Method 3: .htaccess

<Files xmlrpc.php>
Order allow,deny
Deny from all
</Files>

Partial Disable Options

If you need some XML-RPC functionality:

Disable Only Pingbacks

Keep publishing but disable pingbacks:

add_filter('xmlrpc_methods', function($methods) {
    unset($methods['pingback.ping']);
    return $methods;
});

Require Authentication

Allow only authenticated requests (stops anonymous attacks).

Verifying XML-RPC is Disabled

  1. Visit yoursite.com/xmlrpc.php
  2. If disabled: 403 Forbidden or blank page
  3. If enabled: XML response about XML-RPC server

Get WP Folder Shield to disable XML-RPC with one click and protect against related attacks.

Share:
M
Written by Marcus Johnson

WP Folder Shield Team

Related Articles

The Ultimate Guide to WordPress Security in 2026
The Ultimate Guide to WordPress Security in 2026

Learn how to protect your WordPress website from hackers, malware, and security threats with this...

January 15, 2026
How to Scan Your WordPress Site for SEO Spam and Hidden Malicious Content
How to Scan Your WordPress Site for SEO Spam and Hidden Malicious Content

Learn effective methods to scan your WordPress site for hidden SEO spam, malicious links, and...

January 13, 2026
How to Protect Your WordPress Uploads Folder from Malware
How to Protect Your WordPress Uploads Folder from Malware

The wp-content/uploads folder is one of the most vulnerable directories in WordPress. Learn how to...

January 13, 2026

Ready to Secure Your WordPress Site?

Get complete protection with WP Folder Shield.

Get Started