How to Disable WordPress XML-RPC: Complete Security Guide

Knowing how to disable WordPress XML-RPC is one of the most important security steps you can take to protect your website from brute-force attacks, DDoS amplification exploits, and unauthorized remote access. In this comprehensive guide, you will learn exactly what XML-RPC is, why it poses a risk, and how to disable it using multiple proven methods — from simple plugins to manual code edits.

What Is WordPress XML-RPC and Why Is It a Security Risk?

XML-RPC (Extensible Markup Language Remote Procedure Call) is a protocol that allows remote applications to communicate with your WordPress site over HTTP. It was originally designed to enable features like the WordPress mobile app, Jetpack, and third-party publishing tools to interact with your site without needing a browser session.

The file responsible for this feature is xmlrpc.php, located in the root of every WordPress installation. While useful in some scenarios, it has become a frequent target for attackers because:

• Brute-force amplification: A single XML-RPC request can test hundreds of username and password combinations using the system.multicall method, making password attacks far more efficient.
• DDoS attacks: Attackers can use your server as a relay to amplify distributed denial-of-service attacks against other targets.
• Pingback exploitation: The pingback feature within XML-RPC can be abused to scan internal networks or flood websites with fake pingback requests.
• Bypassing two-factor authentication: Some 2FA plugins do not protect the XML-RPC endpoint, allowing attackers to bypass login security.

Unless you actively use the WordPress mobile app, Jetpack, or a remote publishing tool that requires XML-RPC, disabling it is almost always the right decision for the vast majority of WordPress sites.

Method 1: Disable XML-RPC Using a WordPress Plugin

The easiest method for beginners is to use a dedicated plugin. This approach requires no coding knowledge and takes less than two minutes.

Using the Disable XML-RPC Plugin

1. Log in to your WordPress dashboard.
2. Navigate to Plugins > Add New.
3. In the search bar, type Disable XML-RPC.
4. Find the plugin by Joseph Scott and click Install Now.
5. Once installed, click Activate.
6. The plugin works immediately upon activation — no configuration is needed.

This plugin hooks into WordPress at the application level and completely turns off XML-RPC access. It is lightweight, has no settings page, and does exactly one job reliably.

Using a Security Plugin

If you already use an all-in-one security plugin such as Wordfence, iThemes Security, or All-In-One WP Security, you may already have the option built in:

1. Open your security plugin's settings panel.
2. Look for a section labelled XML-RPC, Remote Access, or WordPress Tweaks.
3. Enable the option to disable or block XML-RPC requests.
4. Save your settings.

Using a security plugin is ideal if you want centralized control over multiple hardening features without installing several single-purpose plugins.

Method 2: Disable XML-RPC via functions.php

If you prefer not to add another plugin, you can disable XML-RPC by adding a small PHP snippet to your theme's functions.php file or to a custom plugin. This method is clean, lightweight, and portable.

Adding the Code Snippet

1. Back up your website before making any code changes.
2. In your WordPress dashboard, go to Appearance > Theme File Editor (or use a code editor via FTP/SFTP).
3. Open your active theme's functions.php file. If you use a child theme, edit the child theme's functions.php.
4. Scroll to the very bottom of the file.
5. Add the following code snippet:

// Disable XML-RPC completely
add_filter( 'xmlrpc_enabled', '__return_false' );

// Also remove the X-Pingback HTTP header
add_filter( 'wp_headers', function( $headers ) {
    unset( $headers['X-Pingback'] );
    return $headers;
});

6. Click Update File to save your changes.
7. Test your site to make sure everything still works correctly.

The xmlrpc_enabled filter tells WordPress to return false when anything checks whether XML-RPC is active, effectively shutting it down at the application level. The second filter removes the X-Pingback header from HTTP responses, which prevents attackers from even discovering that XML-RPC exists on your server.

Important Note About Theme Updates

If you add this code directly to a parent theme's functions.php, it will be overwritten when the theme updates. Always use a child theme or create a simple custom plugin to house your snippets so they survive updates.

Method 3: Block XML-RPC via .htaccess (Apache Servers)

For Apache-based hosting environments, you can block access to xmlrpc.php at the server level using your .htaccess file. This is more efficient than PHP-level blocking because the request is rejected before WordPress even loads, saving server resources.

Editing Your .htaccess File

1. Connect to your server via FTP, SFTP, or your hosting control panel's file manager.
2. Locate the .htaccess file in the root of your WordPress installation (the same directory as wp-config.php).
3. Download a backup copy of the file before editing.
4. Open the file in a text editor and add the following block above the # BEGIN WordPress section:

# Block WordPress XML-RPC
<Files xmlrpc.php>
    Order Deny,Allow
    Deny from all
</Files>

5. Save the file and upload it back to your server.
6. Visit https://yoursite.com/xmlrpc.php in a browser — you should receive a 403 Forbidden error, confirming that access is blocked.

This method is highly effective and prevents any processing overhead associated with WordPress loading just to reject an XML-RPC request.

Blocking XML-RPC on Nginx Servers

If your server runs Nginx instead of Apache, add the following rule inside your server block configuration:

location = /xmlrpc.php {
    deny all;
    access_log off;
    log_not_found off;
}

After editing your Nginx config, reload the service with sudo systemctl reload nginx for the changes to take effect.

Method 4: Disable XML-RPC Using WP-CLI

WP-CLI (WordPress Command Line Interface) is a powerful tool for developers and server administrators who prefer managing WordPress from the terminal. While there is no single built-in WP-CLI command to disable XML-RPC directly, you can use it to install and activate the dedicated plugin instantly.

Installing the Disable XML-RPC Plugin via WP-CLI

1. SSH into your server.
2. Navigate to your WordPress installation directory.
3. Run the following command to install and activate the plugin in one step:

wp plugin install disable-xml-rpc --activate

4. Verify activation by running:

wp plugin list --status=active | grep xml-rpc

5. You should see disable-xml-rpc listed as active in the output.

WP-CLI is particularly useful when managing multiple WordPress installations or when automating security hardening as part of a deployment script or CI/CD pipeline.

How to Verify XML-RPC Is Successfully Disabled

After applying any of the methods above, it is important to confirm that XML-RPC is actually disabled and not just seemingly blocked. Here are reliable ways to test it:

Test via Browser

Navigate directly to https://yoursite.com/xmlrpc.php. If XML-RPC is properly disabled or blocked, you should see either a 403 Forbidden error (server-level block) or a plain page that no longer responds to XML-RPC method calls.

Test via Online XML-RPC Checker

Several free online tools allow you to check if XML-RPC is accessible on any domain. Search for "WordPress XML-RPC checker" and enter your domain. A properly disabled endpoint will return an error or no valid XML-RPC response.

Test via cURL Command

1. Open your terminal.
2. Run the following command, replacing yoursite.com with your actual domain:

curl -s https://yoursite.com/xmlrpc.php

3. If XML-RPC is active, you will see: <?xml version="1.0" encoding="UTF-8"?> followed by XML content.
4. If it is properly blocked, you will receive a 403 error, an empty response, or a custom error message.

Always verify after making changes — security configurations that appear to work can sometimes be bypassed by subtle misconfigurations.

When You Should NOT Disable XML-RPC

While disabling XML-RPC is the right choice for most sites, there are legitimate scenarios where you need to keep it enabled or selectively allow access:

• WordPress Mobile App: If you or your team publish content using the official WordPress app, it uses XML-RPC for communication on older versions. Newer versions of the app use the REST API, so this is less of a concern today.
• Jetpack by Automattic: Jetpack relies on XML-RPC to communicate with WordPress.com servers. If you use Jetpack features like site stats, social sharing, or backups through Jetpack, disabling XML-RPC will break these features.
• Third-party publishing tools: Some desktop blogging clients (like Windows Live Writer or MarsEdit) use XML-RPC. If your editorial workflow depends on these tools, you will need to keep it enabled or switch to REST API-compatible alternatives.

If you must keep XML-RPC enabled, consider using your security plugin or .htaccess rules to whitelist only specific trusted IP addresses rather than opening it to the entire internet.

Frequently Asked Questions

Will disabling XML-RPC break my WordPress site?

For most websites, disabling XML-RPC will have no negative effect at all. It only impacts functionality if you actively use tools that rely on it, such as Jetpack, the WordPress mobile app (older versions), or desktop publishing clients like MarsEdit. If you are unsure, check your server logs for requests to xmlrpc.php before disabling it.

Is XML-RPC disabled by default in WordPress?

No. XML-RPC is enabled by default in all WordPress installations. Every WordPress site has an accessible xmlrpc.php file unless it has been explicitly disabled through a plugin, code snippet, or server-level configuration.

What is the difference between disabling XML-RPC and blocking it at the server level?

Disabling XML-RPC at the WordPress application level (via a plugin or functions.php filter) tells WordPress not to respond to XML-RPC requests, but the file is still technically accessible and WordPress still loads to process the request. Blocking it at the server level via .htaccess or Nginx rules rejects the request before WordPress loads, which is more efficient and uses fewer server resources.

Can I selectively allow XML-RPC for specific IP addresses only?

Yes. In your .htaccess file, you can use an allow/deny rule to whitelist specific IPs. For example, replace the deny-all block with rules that deny all traffic except from your trusted IP address. This lets you keep XML-RPC functional for authorized tools while blocking everyone else.

Securing your WordPress site does not have to be a complex or time-consuming process. By following any of the methods outlined in this guide, you can effectively disable WordPress XML-RPC and significantly reduce your attack surface in minutes. Whether you prefer a plugin, a PHP snippet, a server configuration rule, or a WP-CLI command, the right approach exists for your skill level and setup. If you want an even easier way to manage WordPress security tasks and configurations, WP AI Agent is an innovative tool that lets you handle WordPress tasks like this — and much more — through simple, natural-language AI chat, making site management accessible to everyone regardless of technical experience.