How To – Disable XML-RPC in WordPress

  • Post last modified:February 11, 2025
  • Post category:Security / Tutorials
  • Reading time:8 mins read

WordPress security is something that every successful owner needs to address when running a website. And while there is a plethora of security actions one needs to take, one of the simplest is hardening your WordPress site by disabling exploitable end points. Today, we’re going to discuse disabling XML-RPC in the WordPress core.

What is XML-RPC?

In short, the WordPress XML-RPC API is a WordPress core component that allows your wesbite to communicate with third party applications such as mobile apps or desktop software for remote publishing. This Remote Procedure Call, uses XML as the markup language between the client and server, to transfer data such as a post from a native app on a phone to your WordPress site. Originally added into version 3.5 of WordPress, a newer and safer method, the WP API has replaced the WordPress XML-RPC API. However, there are still plugins (like Jetpack) that still use this legacy API feature and you’ll need to make sure if you still need it enabled.

Why Disable XML-RPC?

One of the easiest methods for securing your WordPress website is disabling any core functions or plugins you no longer use or update.Disabling XML-RPC is just one of those functions that unless you use for your site, its best to disable. By disabling XML-RPC, you’ll help to prevent these attack points:

Brute Force Attempts

The issue with XML-RPC is there is no limit on login attempts, which means brute force attempts become the target for you website to gain access. You might have a security plugin installed which might limit the login requests made, however it will still consume resources to do so. Which can lead to the next attack point.

DDoS Attack

XML-RPC has been an easy target to send Distributed Denial of Service attacks for WordPress sites. The reason is due to XML-RPC:

  • Not cached – meaning it uses resources when interacting.
  • Resource heavy – interacts with the core components of WordPress, including database access.
  • Pingback requests builtin, amplififing the sending of requests.

Now that you’ve made an informed decision that you no longer need it enabled, there are a few ways to go about doing so. The best choice to to prevent the code from being executed at all, saving resources, by preventing visitors from accessing the PHP file, xmlrpc.php. Below you’ll find the different ways to disable this page depending upon the webserver of your choice.

Disable via nginx

For Linux users, using your favorite editor and terminal, edit the following file, /etc/nginx/sites-available/default.conf. In my case, I like to use nano, for example: “sudo nano /etc/nginx/sites-available/default

Add the following code for your WordPress site configurations. Somewhere after the server tag.

# Deny xmlrpc.php

location = /xmlrpc.php {
    deny all;
    access_log off;
    log_not_found off;
    return 403;
}

Exit and save the file contents. You’ll need to reload the server configurations by telling the nginx service to reload the configurtaion file: 

sudo service nginx reload

Disable via Apache

Disabling in Apache means to just modify the .htaccess file located in the root directory of your WordPress site. Using your favorite text editor, open the .htaccess file and add the following code:

example “sudo nano /var/www/html/wordpress/.htaccess”

# Deny xmlrpc.php

<Files xmlrpc.php>
order deny,allow
 deny from all
#allow from 123.123.123.123
</Files>

*You can allow access by an certain IP address by replacing the default IP address with one of your choosing and then removing the #

Exit and save the .htaccess file.

Disable via Lighttpd

To disable access to the xmlrpc.php file on your Lighttpd server, you’ll need to open the configurations file of your WordPress site. Unless you have given a specified file name, the defaultl configuration file is located at /etc/lighttpd/lighttpd.conf

Open the lighttpd.conf file in your favorite text editor on the server, example “sudo nano /etc/lighttpd/lighttpd.conf” and find the host name for your WordPress site.

Add the following to the mods list found at the top of the file if not already added, 

server.modules += ( "mod_access" )

Then add the following to the location of your host/server configuration for your site:

# deny access to /xmlrpc.php
$HTTP["url"] =~ "^/xmlrpc.php" {
     url.access-deny = ("")
}

Exit and save the configuration. You’ll need to restart the lighttpd server for the changes to take effect:

service lighttpd restart

Disable via plugins

While not the best approach, you can disable access to the XML-RPC API via a WordPress plugin. However, resource still have to be used to prevent access, meaning more code will need to be executed.

Disable XML-RPC Pingback plugin is a way to disable some of the more abused features while still keeping access for remote access. You’ll need to check if a plugin that requires XML-RPC needs these disabling features or not. Simply add the plugin on your WordPress site and activate.

Disable via WAF (Cloudflare)

Cloudflare offers a Web Application Firewall (WAF) on its Pro plan which has a default configuration for WordPress sites. If you have a pro plan, you can enable the WAF setting to disable xmlrpc.php access.

Tags: , ,