How To Disable Xmlrpc.Php To Safeguard Your WordPress Site From Security Issues

Home - WordPress Fixes - How To Disable Xmlrpc.Php To Safeguard Your WordPress Site From Security Issues

WordPress is a unique CMS that comes with built-in features which allows you to interact with your website remotely. Have you ever wanted to access your site only to realize your website is not near? The solution was the xmlrpc.php file. However, for some years now, this file has turned out to be a pest rather than a solution. What is xmlrpc wordpress ?

In this article, we shall define what xmlrpc.php file actually is , and the reason it was built. Further, we shall highlight some common problems caused by this file and, how to fix them on your WP website.

How To Disable Xmlrpc.Php in WordPress Site

1. What is Xmlrpc in wordpress ?

In simple terms, xmlrpc is a WordPress feature which powers data transmission. HTTP acts as the transport medium, while XML acts as the encoding channel. This was to perform the task, because WordPress is not a self-enclosed system, yet it requires to communicate with the rest of the systems.It’s a program where you can post to your WordPress blog using famous weblog clients.

For instance, what would you do if you wanted to post an article on your website using your mobile device as your computer is not around? You can do so using the remote access feature powered by xmlrpc.php.

If you do not disable xmlrpc.php wordpress main features, it let you access your website through the smartphone, and execute trackbacks and ping backs of other websites.

2. Why was Xmlrpc.php made, and what was its use?

XML-RPC was started at the earlier days of WordPress. In the earlier days of the internet, connections were slower. And, writing and publishing on the web was both time-consuming and problematic. Rather than writing in the web browser, many people were writing offline, then copy and paste their writing on the web. Even so, this procedure was inappropriate.

At that time, the solution was creating an offline blogging client. Here, you would compose your content offline, then publish it by connecting to your blog. XML-RPC.php was used in the connection. Because of the XML-RPC basic framework, earlier apps were using this connection to let people log in their WordPress websites using other devices.

3. Present xmlrpc wordpress

The release of WordPress version 2.6 in 2008 came with an option of either activating or deactivating XML-RPC. But, XML-RPC support was not disabled by default in the WordPress iPhone app. The setting did not have an option of turning off. To date, this remains.

Nonetheless, the functionality of this file has decreased with time. Basically, the size of this file has reduced from 83kb to 3kb. Therefore, the role of XML-RPC is not as big as it was.

4. The Future of xmlrpc wordpress

Following the creation of a new WordPress API, our expectation is the complete elimination of XML-RPC. However, this API is in the trial stage, and action is only possible when using a plugin.

Even so, the future expectation is that the WordPress Xmlrpc API will get coded directly in the WordPress core. In turn, there is a higher chance this will disable xmlrpc.php file.

Although the recent API is not perfect, it offers a strong and safe solution to the issue that the xmlrpc php was solving.

5. Why Should You Disable Xml-rpc.php?

Security concerns are the major problems with XML-RPC. These problems are not direct from XML-RPC. Rather, with how this file can get utilized to activate a brute force attack on your website.

Without a doubt, it is possible to protect your site using strong passwords, as well as WordPress security plugins. However, to disable this file, is the best means of protection.

In the past, hackers were exploiting two significant weaknesses of XML-RPC. These are:

  1. First, you can utilize brute force attacks to access your website. A hacker can gain entry to your site with the use of xmlrpc.php, using a different password and username combinations. With a single command, hackers can examine hundreds of different passwords. As a result, this does not disable them to bypass security tools which detect and blocks brute force attacks. You can protect your website from hackers with our WordPress Security services.
  2. Second, the use of a DDoS attack to take websites offline. With this, hackers were using the pingback feature in WordPress for sending pingbacks to thousands of sites at once. This xmlrpc.php feature offers hackers with numerous IP addresses to send their DDoS attacks.

Do you want to examine if your XML-RPC is running on your website? If so, use the XML-RPC Validator tool to run your website. If an error message is what you are getting, then XML-RPC is disabled.

But, if the message you get says “Success,” use these methods to Disable xml-rpc.php:

Method 1: Use plugins to disable Xml-rpc.php

It is easier to disable XML-RPC on your WordPress using plugins:

  • Go to your WordPress Dashboard
  • Click on Plugins
  • Click Add New
  • After that, search for “Disable XML-RPC”
  • Click on install this plugin.

Disable XML-RPC

Once you are done, activate your plugin and you are done. This plugin inserts all vital code to turn off XML-RPC automatically. But, you should remember that some existing plugins might use parts of XML-RPC. Thus, complete deactivation may lead to a plugin conflict. Or, make some elements of your website not to work.

Do you want to turn off some XML-RPC elements, yet let some specific features and plugins to function? If that is the case, use these plugins:

Control XML-RPC Publishing:

This lets you to have control and use of the remote publishing choice provided by xmlrpc.php.

Disable XML-RPC Attack:

This plugin blocks all XML-RPC attacks. However, it lets plugins such as Jetpack, as well as other automatic plugins and tools to continue accessing the xmlrpc.php.

Method 2: Manual deactivation of Xmlrpc.php

Do you prefer to disable this file manually instead of using any plugin? If so, it is possible. Doing so blocks all incoming xmlrpc.php requests.

Here is the process:

  • Start by opening your .htaccess file.
  • After that, go to your FTP client or File manager
  • Turn on the “show hidden files.”

Once you find this file, paste this code in your .htaccess file:


# Block WordPress xmlrpc.php requests


<Files xmlrpc.php>


Order deny, allow


Deny from all


Allow from




In the earlier days, XML-RPC was a great solution to issues arising from remote publishing of your WordPress website. But, this feature had some security holes which are now dangerous to some WordPress website owners.

To secure your website from attackers, completely disable xml rpc.php. But, if you need some of these functions, use plugins such as Jetpack to block security holes, yet let these features work. You can also read the post on which plugins are best for your website’s security.

Use our comment section if you have any question, comment, or suggestion.