How to disable XML-RPC in WordPress

Before WordPress #3.8 the XML-RPC had been disabled in content management system by default. After #3.8 WordPress team announced that this section is as trust-able as other WordPress sections and since it should be enabled for using WordPress mobile App, XML-RPC became enabled by default. These days there is no special security point about XML-RPC, but this file is the target of many attacks that are gonna to make your website down. So here, we learn how to disable XML-RPC and prevent it’s accessibility in WordPress.

What is XML-RPC? Why it should be disabled?

XML-RPC lets you to remote upload posts in your website via some programs like Windows Live Writer. On the other hand some tools like IFTTT and WordPress mobile App use this way to link with your website. It’s OK! But the problem is when the file xmlrpc.php in WordPress is attacked by DDOS – Denial of Service Attack- via requesting from post.

Unfortunately this happens a lot and it is obvious that in such situations your website would be closed by the host immediately. So you would better to prevent these attacks before happenning. On the other hand if you don’t use three possibilities mentioned above, there is no reason to have this connection open. In the following we will learn how to disable XML-RPC in WordPress.

disabling XML-RPC in WordPress

In the first way you can put the code “add_filter(‘xmlrpc_enabled’, ‘__return_false’);” in the file function.php or site specific plugin. Clearly putting it in site specific is more recommended than editing the file functions.php.

You also can use the plugin “Disable XML-RPC” instead of all above.

disabling XML-RPC and preventing accessibility to the file xmlrpc.php via htaccess

In this method we totally prevent the access to the file ” xmlrpc.php ” using the file ” htaccess ” instead of disabling  XML-RPC. If one is disabled to access the file ” xmlrpc.php “, can’t use or abuse XML-RPC possibilities. The Merritt of this method is that you can allow one or more Ips to access this file. So you can actually use the three accessibilities mentioned before and at the same time preventing attacks to this file. To do this just put the code ” — ” in the file ”  htaccess ” in your website.

# Prevent Access to xmlrpc.php File
<Files xmlrpc.php>
order deny,allow
deny from all
allow from

Import the IP that you intend allowed to access the file ” xmlrpc.php ” in the fifth line. You can delete this line totally to prevent accessing ” xmlrpc.php ” for all.

See it is easy to prevent abusing your website. Don’t forget to get backup of your website’s files before every step.

Leave a Reply