Here’s our recommendations for how to disable xml-rpc in WordPress, and how this may improve your site security and performance.
What is XML-RPC?
When you install WordPress on your site, it comes with a file named xmlrpc.php. The file is included as a convenience, to allow users to manage their blog from 3rd-party clients. Say you’re hiking a remote trail or relaxing on a boat in the middle of the ocean. Or maybe your Internet service is simply down, and you suddenly get inspiration for a blog post. XML-RPC enables you to create your post offline, then publish it when you’re able to reconnect.
With the expansion of WiFi and mobile networks, the need and usefulness of the functionality has decreased. As result, the size of the file has also decreased—by over 95% in the last 10 years as WordPress continues to develop their REST API as an alternative solution.
The primary reason the xmlrpc.php file is still being including in current WordPress releases is backward comparability for sites that have not yet updated to use the REST API.
Since XML-RPC isn’t required anymore, there isn’t any reason to keep it active on your site while waiting for WordPress to phase it out. In fact, there is a major reason to disable it today: security.
Know the Risks
One of the vulnerabilities created by the file is toward brute force attacks. Because XML-RPC uses a username/password authentication, a script could be used to attempt to log in to the site constantly using randomly-generated/common username & password combinations. The script could run a nearly unlimited number of times per day—limited only by how quickly your server responds to deny the login attempt.
Obviously, the more attempts a hacker’s script makes on an unsecured server or porous site, the more chances it has to gain entry to your site. However, even on a secure site, your server has to process and respond to each of these attempts. This will occupy your server’s resources, causing CPU overload and a very slow response time—or none at all—to your legitimate site visitors.
So, what do I do?
4 Ways to Disable xml-rpc
By default, all WordPress installs have XML-RPC enabled to ensure backward compatibility. Unfortunately, there isn’t currently a setting to disable this. However, there are a few different options for disabling xmlrpc.php on your site to increase security:
1. With A Plugin
The easiest and most common solution is to install and activate a plugin. We recommend the Disable XML-RPC plugin. It’s a secure solution that is active on over 200,000 WordPress sites.
The plugin is a “set it & forget it” solution. XML-RPC will be disabled on your site by simply by installing & activating the plugin. No additional option or settings pages are created.
2. .htaccess File
If you prefer to keep the number of plugins installed on your site to a minimum, then you can manually disable XML-RPC through your .htaccess file using FTP.
First, always make a backup of your existing .htaccess file before making any changes. Then, add the following code to the bottom of your .htaccess file to block any access to the xmlrpc.php file:
Deny from all
3. Functions.php filter
If you have a custom theme or a child theme, another option is to disable XML-RPC through your theme’s functions.php file. Using cPanel or FTP to access & edit the function.php file, you can add a filter to the end of the file to disable the XML-RPC functionality:
add_filter( ‘xmlrpc_enabled’, ‘__return_false’ );
4. Contact Your Hosting Provider
Finally, you can contact your hosting provider, server admin, or WordPress support and maintenance provider and request that XML-RPC be disabled on your server. If you are on a shared server, they may not be able to disable it on the entire server, but they should be able to assist you in disabling it for your site.