How to Disable XMLRPC.PHP on WordPress in 2 Simple Steps

WordPress is the most popular tool to create a website or blog. It is an easy-to-use content management system enabling website owners to manage important aspects of the website without any kind of programming knowledge. But do you know about all the inbuilt features that the platform contains? Do you know about the existence of a file known as XMLRPC.PHP, and what does it do for you? It can be harmful too. In this guide, learn how to disable XMLRPC.PHP on your WordPress website.


XMLRPC.PHP helps to create a remote connection with WordPress. In its absence, several tools and publishing applications will not be able to access your website. You will have to log in directly to the system to be able to make any additions or updates to the website.

WordPress uses XML-RPC to exchange information between computer systems over a network. The specification was developed to standardize communication between different systems. This standardization allowed users to make remote updates to WordPress from other applications.

For example, if you try to update your website or post blogs using Windows Live Writer, you can do the same because of XMLRPC.PHP. The tool is also helpful in publishing or making changes to the website using the WordPress mobile app.

Besides, if you want to make connections to services like IFTTT, this is the feature to use.

Now, you would think that this specification is a very useful part of WordPress. While that was true in the beginning and the tool did a pretty useful job, the file has now become more of a pest than a solution.

This is because XMLRPC.PHP opens your website via additional access points, leaving it vulnerable to external attacks.

Verify If XMLRPC is Enabled?

Many WordPress users are confused about this. They don’t know whether XMLRPC is enabled on their website or not. Remember, XMLRPC is enabled by default. It is active after you install WordPress.

Furthermore, if you want to check, run your site through an XML-RPC Validator. This tool lets you know the current status. If you receive an error message, it means XMLRPC.PHP is disabled. However, if you receive a success message, you must use one of the two methods suggested below to stop XMLRPC.PHP.

Why Should You Disable XMLRPC.PHP?

XMLRPC comes with several security concerns. These concerns don’t directly arise from XMLRPC but the way the file is used to enable a brute force attack on your site. While incredibly strong passwords and WordPress security plugins are a good way to protect yourself, the best solution is to disable it.

XMLRPC has two main weaknesses that attackers have benefitted from in the past. The first is making use of brute force attacks to gain access to your site. Using the different username and password combinations for XMLRPC.PHP, an attacker tries to access your site. What’s more, attackers only need to use a single command to try hundreds of different passwords. They can avoid security tools that generally detect and obstruct such brute force attacks on your website.

The second is taking your website offline using a DDoS attack. Using the pingback feature in WordPress, attackers send pingbacks to thousands of sites at the same time. This feature of XMLRPC provides attackers with a large database of IP addresses through which they can distribute this DDoS attack.


When you disable this feature, you are protected from the risk of external attacks. Over the years, developers of this code have tightened up its structure. While contributors claim it to be as secure as the rest of the core files of WordPress, others believe that it is safer to disable the feature.


The downside of disabling this feature is that you lose remote access to WordPress. As a result, you lose some of the versatility and functionality of the system. Users cannot post blogs from a different application using a remote connection. Any changes or updates require logging in directly into WordPress. This restriction may not be suitable for those who like to post blogs and content directly from their mobile devices.

How to Disable XMLRPC.PHP on WordPress Using a Plugin?

It is easy to disable XMLRPC.PHP on your WordPress site with the use of a plugin. There are some free business WordPress plugins that help in disabling XMLRPC.PHP.

All you need to do is install the Disable XML-RPC plugin.

To start, click on the Plugins tab in the Admin taskbar on the left-hand side. Next, click on Add New and search for Disable XML-RPC.


As soon as you activate the plugin, it will do all the work. It will automatically insert the code to disable XMLRPC.

Nevertheless, please remember that some plugins use parts of XMLRPC and completely disabling the same can result in a plugin conflict. You will notice a disruption in the functioning of certain elements of your website.

Alternatively, you can turn off only particular elements of XMLRPC and let the useful features and plugins continue to work. To do this, you need to use the following plugins:

  1. Stop XMLRPC Attack: Using this plugin, you can easily block the attacks. Additionally, plugins like Jetpack and other automatic tools can continue to access the xlmrpc.php file.
  2. Control XMLRPC Publishing: Using this plugin, you can continue to enjoy the convenience of remote publishing that was offered by the XMLRPC.PHP file.

How to Disable XMLRPC.PHP Without a Plugin?

You can also disable XMLRPC on your own without using a plugin. This step will prevent all XMLRPC.PHP requests from getting passed on to WordPress.

To start, open your .htaccess file. If you can’t find this within the file manager, you might have to click on ‘Show Hidden Files’ or take the support of your FTP client.

Once you have opened the .htaccess file, copy and paste the code mentioned below:

<Files xmlrpc.php>
Order Allow,Deny
Deny from all

Remember to take a copy of the old file before you paste the code so that you have a backup in case you run into any issues.

Disable XMLRPC & Feel Safe

Initially, XMLRPC was a convenient tool to help bloggers and site users with remote publishing. However, the feature came with certain security holes that resulted in a lot of damage for some of the WordPress site owners. Therefore, if you want to keep your site safe and secure, it is suggested that you disable XMLRPC.PHP completely.

Many experts expect the features of XMLRPC to witness an upgrade allowing better integration with the latest WordPress API. This integration will allow remote access without hampering the security. But, so long as that happens, it is a good idea to keep yourself protected from the potential security holes of XMLRPC.

Leave a Reply