What is WordPress XML-RPC and How to Disable It in WordPress?

Updated on: August 9, 2021

What is WordPress XML-RPC and How to Disable It in WordPress?

If you are here searching for ways to disable XML-RPC to secure your website from WordPress XML-RPC exploit, you are in the right place. But before that, you need to know the answers to these questions.

  • What is XML-RPC.php?
  • How can an XML-RPC exploit put your website at risk?
  • Is disabling XML-RPC exploit going to solve everything?
  • What can be the alternative to disabling the XML-RPC feature?

Through this article, we will try to give answers to all these questions and a lot more.

What is XML-RPC?

WordPress XML-RPC is an API (application program interface) that enables the transfer of data between your WordPress website and other systems. 

Although it is now largely being replaced by the REST API released by WordPress, it is still used for backward compatibility. That is, XML-RPC is meant for the websites that are still using the older versions of WordPress.

If you are using an older version, we strongly recommend updating it. Running an older version of a WordPress website can do you more harm than hackers trying to launch brute-force attacks through XML-RPC.

Related Guide – The Ultimate WordPress hack removal guide

XML-RPC can put your website at risk

By exploiting the following known vulnerabilities, XML-RPC can put your website at risk:

DDoS attacks via pingbacks and trackbacks

Apart from the data transfer, xmplrpc.php is also responsible for enabling the pingbacks and trackbacks. These are the notifications that you receive when a blog or a third-party website links to your website.

Although it has been replaced, some websites still use XML-RPC.php for backward compatibility. If you are one of them, hackers can launch DDoS attacks on xmlrpc.php by sending a large number of pingbacks and put your site out of action or you can say – make it unavailable for your users.

Brute-force attacks via XML-RPC

XML-RPC (XML-remote processing call) allows encoded remote calls transported via HTTP that enables you to remotely post, edit, or delete a file or content from your WordPress website. With each request, xmplrpc.php sends the authentication information. It makes it easier to push a large amount of data at one time.

But the ability to push a large amount of data at one time implies that even hackers can also sneak-in a number of passwords to it. If a hacker sends enough authentication requests with a different combination of username and password, they might get it right eventually, and as in result, your site gets compromised.

How to check if xmlrpc.php is running on a website or not?

Before jumping on the disabling of XML-RPC, first of all, you need to check whether or not xmlrpc.php is running on your website.

You can check if the API is enabled on your website or not via WordPress XML-RPC Validation Service.

WP XML-RPC Validation Service

If you discover that xmlrpc.php is still running on your website, skip to the next section and follow the instructions carefully.

How to disable XML-RPC service?

1. Disable XML-RPC via a plugin

Download the WP security hardening plugin from the WordPress plugins directory. Login to your WordPress backend, navigate to Plugins>>Add New and upload the plugin file. Once uploaded, activate the plugin. It’ll reflect on the left bottom of your WP dashboard.

&lt xmlrpc.php
WP Hardening plugin showing on left panel

Then, follow these steps to disable XML-RPC with the WP-Hardening plugin:

  • Go to the ‘WP Hardening’ icon.
  • Select the ‘Security fixes’ tab in the plugin.
  • And toggle the key next to the option ‘Disable XML-RPC’ and you’re done/.

Other than disabling xmlrpc.php, you can also use the WP security hardening plugin to secure several other security areas on your website including – changing admin URL, Disabling file editor, Disabling WP-JSON, hiding important files, stopping user enumeration, and so on. Follow this knowledge base to learn more about WP-Hardening configurations.

2. Disable XML-RPC without a plugin

  • Via a filter: You can use the xmlrpc_enabled filter to disable this service on your WordPress website. All you have to do is add the following code to a plugin and you are good to go:
add_filter( ‘xmlrpc_enabled’, ’_return_false’ );
  • Via .htaccess file: Add these codes to the .htaccess file of your WordPress website:
<Files xmlrpc.php>
Order Allow, Deny
Deny from all

We know you must have heard it a lot of times, but before trying to perform any task manually, take backups of all the important files. It may come in handy when you make a mistake or when your website is hacked.

Although we did explain the process to disable xmlrpc.php, it is not always a wise solution to all the problems. One way or another, a hacker will find some other vulnerability in your website to exploit. 

Related Guide – WordPress Malware Removal

We recommend that you install a security firewall to block all the hacking attempts made by bots and hackers. 

With the help of Astra’s security firewall, you can block all the attempts of XSS, CSRF, SQLi, etc. With 24*7 customer support, you will be able to implement all the missing security practices on your website.

Get the ultimate WordPress security checklist with 300+ test parameters

Aakanchha Keshri

Aakanchha is a technical writer and a cybersecurity enthusiast. She is an avid reader, researcher, and an active contributor to our blog and the cybersecurity genre in general. To date, she has written over 200 blogs for more than 60 domains on topics ranging from technical to promotional. When she is not writing or researching she revels in a game or two of CS: GO.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include a vulnerability scanner, firewall, malware scanner and pentests to protect your site from the evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany