XMLRPC or XML remote procedure call is a system that grants you remote access to your website. So, you don’t have to directly login to WordPress to access your website. By default, this feature is enabled in WordPress. XMLRPC makes your website multifaceted to a certain extent. However, it is often disabled by website owners because of security reasons. This post provides step-wise details on how to do it effortlessly.

Why disable XMLRPC?

The prime function of XMLRPC is to increase connectivity to your WordPress website. With this, you can remotely update your website by providing access to random applications and tools such as mobile. Opening additional access gates to your website typically could invite risks.

In case a vulnerability is found in any of these added facets, it could bare your website unprotected before the hackers. So, unless you require remote connections like mobile devices to publish your content, it is better to disable it. Disabling XMLRPC can help you prevent your website from attackers.

How to disable XMLRPC?

The obvious question and the aim of this post come – “How to disable XMLRPC”. You can use several ways to disable XMLRPC. Like via appending a piece of code in the .htaccess file or via a plugin.

1. Disabling XMLRPC via WP-Hardening Plugin

The WP-Hardening Plugin by Astra Security provides a one-click solution to disable XMLRPC. Here is how this works:

  1. Install WP-Hardening from the WordPress store.
  2. Activate it. The WP-Hardening icon will reflect in the bottom left corner of your admin panel.
  3. Navigate to the “Security Fixers” tab in the plugin and just flick the toggle key next to the option “Disable XMLRPC.
  4. And you are done.

Besides, disabling XMLRPC with a click, you can also use the WP-Hardening plugin to secure other WordPress security areas. For instance, this plugin can be used to achieve better Admin & API security, set recommended file permissions, to stop user enumeration, and many more.

WP-Hardening is a one-stop solution to secure your WordPress. With this in hand, you need not worry about installing ten different plugins for ten different security problems. Plus, it’s always easy to maintain a single plugin than maintaining multiple ones.

2. Disabling XMLRPC via .htaccess

.htaccess files change the configuration of files in an Apache Web Server Software. Therefore, the access requests are disabled before passing it to WordPress.

You can also disable XMLRPC by following the steps below:

  1. Access your website using an FTP (File Transfer Protocol) client like Filezilla.
  2. Access .htaccess in your root folder (generally named public_html).
  3. The default settings might hide this file. In such a case, go to settings and click on ‘Show hidden folders‘ button. Don’t forget to save the changes. The file should now be visible.
  4. Type in the following code after opening the file:
    # Block WordPress xmlrpc.php requests
    <Files xmlrpc.php>
    order deny,allow
    deny from all
    allow from
  5. Save the changes, and you’re done.

For advanced security features for your WordPress, such as continuous monitoring, real-time blocking, etc. you can always rely on the Astra firewall.

If you have other queries, comment below and we’ll be happy to answer 😊

Was this post helpful?

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.