Tutorials

How to Disable XML-RPC in WordPress and Why You Should

XML-RPC is a frequent target for WordPress attacks. Learn what it does, why it's dangerous, and how to safely disable it to improve your site's security.

S
Sarah Chen
6 min read
899 views
XML-RPC code being blocked for WordPress security

What is XML-RPC?

XML-RPC is a remote procedure call protocol that uses XML to encode its calls and HTTP as a transport mechanism. In WordPress, the xmlrpc.php file enables external applications to communicate with your site, allowing features like remote publishing, pingbacks, and trackbacks.

Originally, XML-RPC was essential for mobile apps and remote publishing tools. However, WordPress has largely replaced this functionality with the more modern REST API, making XML-RPC unnecessary for most websites.

Security Risks of XML-RPC

Amplified Brute Force Attacks

XML-RPC's system.multicall method allows attackers to try hundreds of password combinations in a single HTTP request. Traditional brute force protection that limits login attempts is bypassed because each request only counts as one attempt, even though it tests many passwords.

DDoS Attack Vector

The pingback feature in XML-RPC can be exploited for DDoS attacks. Attackers send pingback requests from thousands of WordPress sites to a target server, using your site as an unwitting participant in the attack.

Information Disclosure

XML-RPC can reveal information about your WordPress installation, including valid usernames, which attackers can use for targeted attacks.

Historical Vulnerabilities

XML-RPC has had multiple security vulnerabilities over the years. While most are patched, the protocol's complexity means new vulnerabilities may be discovered.

Do You Need XML-RPC?

When You Might Need It

  • Using the WordPress mobile app
  • Remote publishing with desktop clients like Windows Live Writer
  • Jetpack plugin (some features)
  • Some third-party services that haven't updated to REST API

When You Don't Need It

  • You only publish from the WordPress admin dashboard
  • You use the Block Editor or Classic Editor directly
  • You don't use pingbacks or trackbacks
  • Your third-party integrations use REST API

For most WordPress users, XML-RPC is completely unnecessary and can be safely disabled.

How to Disable XML-RPC

Method 1: Using a Security Plugin

Most security plugins include an option to disable XML-RPC. With WP Folder Shield, navigate to Settings > Security and enable the "Disable XML-RPC" option. This is the safest and easiest method.

Method 2: Using .htaccess

Add this code to your .htaccess file to completely block access to xmlrpc.php:

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx
</Files>

Replace xxx.xxx.xxx.xxx with any IP addresses that should still have access, or remove the allow line to block everyone.

Method 3: Using a Filter

Add this code to your theme's functions.php or a custom plugin:

add_filter('xmlrpc_enabled', '__return_false');

This disables XML-RPC functionality but doesn't block requests to the file. Combine with .htaccess for complete protection.

Method 4: Using Nginx

For Nginx servers, add this to your server configuration:

location = /xmlrpc.php {
    deny all;
    access_log off;
    log_not_found off;
}

Partial Disabling Options

Disable Only Pingbacks

If you need some XML-RPC functionality but want to disable pingbacks, use this filter:

add_filter('xmlrpc_methods', function($methods) {
    unset($methods['pingback.ping']);
    unset($methods['pingback.extensions.getPingbacks']);
    return $methods;
});

Restrict to Specific Methods

You can whitelist only the XML-RPC methods your applications need while blocking everything else.

Monitoring XML-RPC Activity

Check Your Access Logs

Review your server access logs for requests to xmlrpc.php. High volumes of requests indicate your site is being targeted.

Use Security Plugin Logging

Security plugins can log and alert you to XML-RPC attacks, helping you understand the threats targeting your site.

What About the REST API?

The WordPress REST API provides similar functionality to XML-RPC but with better security and modern design. If you need remote publishing capabilities, use applications that support the REST API instead of XML-RPC.

You should also secure your REST API by:

  • Requiring authentication for sensitive endpoints
  • Disabling user enumeration
  • Rate limiting requests

Conclusion

For most WordPress websites, XML-RPC is an unnecessary security risk. Disabling it eliminates a common attack vector without affecting normal website functionality. Use one of the methods above to protect your site from XML-RPC exploits.

Share:
S
Written by Sarah Chen

WP Folder Shield Team

Related Articles

The Ultimate Guide to WordPress Security in 2026
The Ultimate Guide to WordPress Security in 2026

Learn how to protect your WordPress website from hackers, malware, and security threats with this...

January 15, 2026
How to Scan Your WordPress Site for SEO Spam and Hidden Malicious Content
How to Scan Your WordPress Site for SEO Spam and Hidden Malicious Content

Learn effective methods to scan your WordPress site for hidden SEO spam, malicious links, and...

January 13, 2026
How to Protect Your WordPress Uploads Folder from Malware
How to Protect Your WordPress Uploads Folder from Malware

The wp-content/uploads folder is one of the most vulnerable directories in WordPress. Learn how to...

January 13, 2026

Ready to Secure Your WordPress Site?

Get complete protection with WP Folder Shield.

Get Started