What is and How to Disable XMLRPC in WordPress

By Rebecca
9 Min Read
Disable XMLRPC WordPress

In this article, you’ll better understand what XMLRPC is in WordPress, and learn how to Disable XMLRPC in WordPress.

What is WordPress XMLRPC?

The XML – RPC and XML – RPC is a protocol for remote procedure calls (or Remote Procedure Call – RPC ) that uses XML to encode its calls and HTTP as a transport mechanism.

The XML – RPC is used in WordPress to allow the transmission of data using the protocol HTTP for transport and XML for encoding.

This way, you can perform several actions on your website, without the need for direct access to the WordPress administrative panel. For example, if you have a blog and want to publish an article using your smartphone, this is made possible thanks to XMLRPC.

Through XMLRPC you can connect to your website through different devices. That way you don’t have to be at a computer and access the admin panel every time you want to publish or change something.

XMLRPC is a file that comes even before WordPress existed. Previously it was used by blogging software b2, a predecessor to WordPress. In early versions, the XMLRPC file was disabled. However, with the growing demand and need to connect to other devices, it has been enabled by default since version 3.5 of WordPress. Furthermore, it is not only WordPress that uses XMLRPC, some other CMS also use or have used this file, such as Drupal CMS.

The XMLRPC Security Issues

Now that you understand what XMLRPC is, you might be wondering why you should disable it. The reason for this is because XMLRPC brings major issues and concerns to your WordPress security. As much as you use strong passwords, security plugins, IP blocking, and other protection techniques, XMLRPC is still a tool that can be easily used by Cybercriminal Hackers to harm your website.

There are two common forms of XMLRPC-related attacks. The most basic form results in trying to access your site using XMLRPC, trying various combinations of usernames and passwords, ie through brute force attacks. Although WordPress has several plugins that prevent this type of brute force attack, they end up ignoring access via XMLRPC. Therefore, cybercriminals could try to invade your website unlimitedly, without being detected or being blocked.

The second way does not involve the direct invasion of the website, but rather taking down your website through DDoS attacks. As XMLRPC allows the transmission of pingback in WordPress, cybercriminals could easily use this feature to perform DDoS attacks. DDoS attacks or “ denial of service attacks” generate a very large amount of requests to the point of overloading your website and your server. Thus, DDoS attacks can make your website completely unavailable, and may even make your server unavailable.

Should I disable XMLRPC?

Even with the explanation above, there are cases where keeping remote access to WordPress available is essential. So, even in these cases, should XMLRPC be disabled? Let’s better understand this situation.

In more recent versions, WordPress started to use a new API, the WordPress REST API. As a result, XMLRPC became unnecessary. The WordPress REST API is becoming the default API in WordPress, and as a result, XMLRPC will most likely not come with WordPress in future versions.

Therefore, WordPress in its latest versions provides a more robust and secure solution to the problems that XMLRPC solved, through the new API. So there is no longer any need to keep XMLRPC active on your website. The best thing to do is disable it.

But, there are some cases of People or Companies using older versions of WordPress, and for some specific reason, it is not possible or feasible to upgrade to newer versions. In these cases, in particular, it is worth thinking about whether it is really necessary to use XMLRPC. If not, disable it. If necessary, we only recommend that you pay more attention to safety and that you know how to disable it in case of emergencies. If possible, keep it disabled while it’s not needed, and only enable it when you need it.

Read more: How to add Google reCaptcha to WordPress login

How to disable XMLRPC in WordPress?

There are a few ways to disable XMLRPC in WordPress. Here we are going to list two options, through plugins and the .htaccess file.

It is noteworthy that there are ways to disable it by encoding your WordPress core files. However, we do not recommend it because they are files that can cause serious problems within your WordPress.

Another possible way is also removing the xmlrpc.php file. However, as it’s a WordPress core file, we don’t recommend it either.

So let’s go to the two best and safest ways to disable XMLRPC in WordPress.

Disabling XMLRPC through plugins

One of the quickest and simplest ways to disable XMLRPC is by installing and activating specific plugins for this functionality.

So, go to your WordPress admin panel. In the sidebar, go to plugins and select the add new option.

In the search bar, search for “Disable XML-RPC”.

Once the search loads, several options will appear. We recommend Neatmarketing’s “Disable XML-RPC-API” plugin. Just click on the “install now” button.

Now just click the activate button!

Ready! Just by doing this, your xmlrpc will be disabled! It is not necessary to configure anything. The Disable XML-RPC-API plugin will do everything needed to disable XMLRPC in WordPress.

If you want to enable it for any reason, just disable the plugin.

With this plugin, it is simple and practical to enable and disable XMLRPC in WordPress whenever you need and want!

Disabling manually via .htaccess

If you have a little more advanced knowledge and know about hosting servers and the .htaccess file, then you can opt for this option. If you do not have any knowledge about it, we do not recommend using this option.

A simple way to disable XMLRPC in WordPress is to stop all requests it receives before they reach WordPress. To do this, go to the directory of your server where your WordPress is installed and search for the .htaccess file. Inside your .htaccess file add the code below and then save it:

<Files xmlrpc.php>
Order Allow, Deny
Deny from all

Remember to make a backup copy of your .htaccess file before doing this process.


For a long time, XMLRPC was a great solution for remoting WordPress. However, it ended up bringing some security holes. Therefore, today XMLRPC is seen more as a problem than a solution.

Probably, in upcoming versions of WordPress, with the new Rest API in WordPress, XMLRPC will no longer be at the core of WordPress.

Unless you need XMLRPC functionality and cannot upgrade to REST API communication, it is best to disable XMLRPC in WordPress. This way you guarantee greater security to your website!


For website maintenance service contact us.

Posted by Rebecca
Rebecca is an Independent content writer for breldigital, She writes content on any given topic. She loves to write a case study article or reviews on a brand, Be it any topic, she nails it
Exit mobile version