How to disable xmlrpc.php for Wordpress?

  • Applies to: WordPres sites
    • Difficulty: Easy
    • Time Needed: 10
    • Tools Required: wp-admin access, FTP access


The following guide will provide a brief outline of the original purpose of xmlrpc.php, why disabling this feature is recommended for security, and how to go through the steps of disabling it. Fortunately, disabling XML-RPC can usually be done within a few minutes.

Please keep in mind that troubleshooting the configuration/functionality of third-party applications is not covered by our statement of support. These resources were provided as a courtesy to assist you to the extent of our abilities. For more information on our statement of support, feel free to click here.

What is XML-RPC?

XML-RPC for WordPress was designed to enable remote connections between your site and external applications. This means, users are able to interact with their WordPress site through different blogging platforms or phone apps. This was useful in the earlier days of the internet, when a person would want to edit content offline, and then connect to their WordPress blog later to publish it.

There are certain situations where users would wan to use XML-RPC. However, with advances in technology, the use and functionality of XML-RPC has been greatly reduced since its inception. As such, the original pros that this feature gave, has become outweighed by the potential security risks that are involved by leaving it enabled.

Why should I disable XML-RPC?

As eluded to in the previous section, there are security risks associated with leaving XML-RPC enabled. These can include:

  • Brute Force Attacks - Where an attacker can use xml-rpc to test hundreds of username and password combinations until they are eventually able to gain access to your site. This occurs because xml-rpc does not have the same login attempt limit that exists when you log into WordPress normally.
  • DDoS Attack - Where an attacker can use xml-rpc to pingback thousands of IPs. This allows them to send a flood of data and traffic which can cause overages and even have networks paralyzed and shutdown.


Check if XML-RPC is enabled

  1. Go to the following website: XML-RPC Validator.
  2. Type in your domain name. Then click Check.
    • Although there is a Username/Password box, you can leave that section blank.
  3. If you receive a success message, that means that XML-RPC is enabled and you will want to disable it.

Method 1 - Plugin

  1. Log into your WordPress Admin Dashboard.
  2. Click on Plugins >> Add New.
  3. Search for "Disable XML-RPC" and install the Disable XML-RPC plugin.
  4. Simply activate the plugin, and that's it! XML-RPC should be disabled.
  5. You can recheck using the XML-RPC Validator. A failure message will confirm that XML-RPC is disabled.

If you wish to retain specific functionality of XML-RPC you can utilize other plugins such as:

Method 2 - .htaccess

  1. Using FTP FTP FTP FTP or File Manager File Manager File Manager , navigate to your site's root directory root directory root directory root directory.
  2. Open the .htaccess file.
  3. Add the following code to the .htaccess:
     # Block WordPress xmlrpc.php requests
    <Files xmlrpc.php>
    order deny,allow
    deny from all
    allow from

    You can replace with an IP address you wish to give access to xmlrpc.php. If you wish to remove access completely, you can simply remove this line.