Disable XML-RPC: Have you ever published an article from your WordPress app? You are able to do so because of WordPress XML-RPC. They are also used to implement trackbacks and pingbacks which allows you to link to other websites. Despite its benefits, XML-RPC is also exploited to gain access to a WordPress website. Hence, disabling it could help improve your WordPress security.

Since WordPress 3.5., WordPress has had XML-RPC enabled by default because of some popular WordPress plugins like Jetpack even WordPress’ own app for both Android and iOS use XML-RPC.

How XML-RPC Poses Risk to a Site’s Security?

There are many ways to hack a site. Unlike other hack attempts, brute force attacks are the most simple attacks to used to gain access to your site. In brute force attacks, hackers make repeated login attempts on the WordPress login page. They try to guess your username and password over and over again until they gain access to your site. Brute force attacks are deemed very useful because they are very successful. Many people use easy to guess usernames like “admin” and passwords like “password123,” which makes it really easy to break into their website.

There are a number of many ways to secure your WordPress login page from brute force attacks and reduce the risk of a security breach (we wrote extensively on how to protect your WordPress login page on our blog). However, hackers are undeterred and they found other hard-to-detect ways to brute force into your site using the XML-RPC.

Before publishing a post, all XML-RPC requests are authenticated. Hackers exploit this authentication process and try an endless number of username and password combination in order to gain entry to your site.  

While login protection methods like HTTP Authentication and CAPTCHA-based protection can effectively block login attempts on the login page, they are unable to protect against XML-RPC attacks.

Besides brute force attack, another type of attack that exploits XML-RPC is DDoS attack. In a DDoS attack, many websites are used to bring down a single site. The targeted site is overwhelmed with traffic requests made by the infected sites. Unable to handle that many traffic, the website server goes down and your site becomes unavailable to legitimate users. You could be one of those infected sites. And if you have pingback enabled on your site, you could attack your site right now without even knowing about it. Using XML-RPC a hacker can send pingbacks and launch attacks on your site with hundreds of thousands of clean and popular websites.

Endless requests will end up overwhelming your server and slowing down your site. It may even crash your site. In most case, the web host steps in and shuts down your site before any of these things happen. Given the risk of using XML-RPC, it’s better to disable XML-RPC.

How to Disable XML-RPC on a WordPress Site?

You can disable XML-RPC using the htaccess file or a plugin. Htaccess is a configuration file that you can create and modify.

These are the steps you need to take to disable XML-RPC on your WordPress site.

Step 1: To access the .htaccess, open your web host account and go cPanel. Select File Manager, and it’ll take you a page that looks somewhat like this:

Disable XML-RPC

Step 2: On the left-hand side, there’s a public_html folder. In the public_html, you should find the .htaccess file.

Disable XML-RPC

Step 3: Right click on the file and select Edit.

Disable XML-RPC

Step 4: And then simply paste the following code in your .htaccess file:

# Block WordPress xmlrpc.php requests 

<Files xmlrpc.php> 

order deny,allow 

deny from all 

allow from 


This should disable XML-RPC on your WordPress site.

Modifying the .htacess with technical expertise can prove to be risky. One must tread carefully. A single misstep can cause serious damage to your site. Hence it is easier to disable XML-RPC using a WordPress plugin.

There are many WordPress plugins that’ll enable you to disable the XML-RPC feature on your site. However, remember that many popular apps and plugins use XML-RPC to execute some of their own functions. These plugins include Jetpack, BuddyPress, LibSyn, WordPress Mobile App, and many photo gallery plugins. Hence, if you are using any of these plugins, disabling XML-RPC could affect some of its functionalities. They may stop working properly.

In this case, you might consider enabling only some parts of the XML-RPC that you need in order to run your plugins properly. Plugins like Remove XML-RPC Pingback Ping plugin enables you to only turn off the pingback feature of your site. You don’t need to disable XML-RPC entirely.

Whether you choose to disable XML-RPC using .htaccess or a plugin, it is always important to have several backups of your WordPress site. It’s easy to roll back to a previous version if you have a backup. Moreover, if you decide to keep the functionality on, you can choose to restore from a previous of the site.