Sales: 0844 88 43 400 (9am til 5pm GMT, Mon - Fri)

Knowledgebase

How To Disable XML-RPC in Wordpress Print

  • 11

The XML-RPC function in Wordpress is usually used to make remote posts to Wordpress installations from Mobile devices. It is also used by a number of 3rd party plugins to deliver new content to your Wordpress site.

Unfortunately the XML-RPC function is now being widely exploited by the bad guys to launch DDOS and Brute Force attacks on a very regular basis. This is not only bad for the overall goodness of the Internet but it'll also cause high resource usage on your hosting account.

As such we recommend all users disable the XML-RPC functionality in Wordpress unless you are actually using the function.

To disable XML-RPC there are a couple of options. You can either disable access to the xmlrpc.php file in your .htaccess file or you can use a 3rd party plugin.

We personally recommend the .htacces method rather than using a plugin but both methods to disable xmlrpc.php can be found below.

Option 1 - Disable xmlrpc.php in .htaccess

This is very simple. All you need to do is edit the .htaccess file associated with the Wordpress site (it will be located in the home directory of the site) and add the following code to the file:

<Files xmlrpc.php>
Order allow,deny
Deny from all
</Files>
ErrorDocument 403 "XML-RPC Disabled."

Option 2 - Use a Plugin to disable XML-RPC

There are a number of plugins out there that claim to disable XML-RPC functionallity on Wordpress sites but a lot of them are inneffective. Based on user feedback, the following plugin seems to be doing a good job at blocking the requests at the time of writing, so if you didn't want to use the recommended .htaccess method above you can give the following plugin a try:

Disable XML-RPC Wordpress Plugin


As mentioned previously, a number of 3rd party plugins do use this function, so blocking it would break those plugins. Some of the most well known plugins that require XML-RPC can be found below:

  • WordPress Mobile App
  • JetPack (just some parts of it)
  • LibSyn (for podcasts)
  • BuddyPress
  • Windows Live Writer

But for the vast majority of Wordpress sites that we see, the XML-RPC function isn't used and is simply used as a way for the bad guys to exploit your site, hence we recommend disabling it.


Was this answer helpful?

« Back