How to Disable XML-RPC in WordPress

WordPress XML-RPC is a pretty dated functionality baked into the WordPress CMS. It’s a means of standardizing communications between a WordPress site and other web or mobile technologies. If you are a WordPress user, this tutorial will tell you what XML-RPC is and why it is a good idea to disable it to protect yourself.

How XML-RPC Works

Your WordPress website is designed to work on the Web. It uses core web technologies like HTML, CSS, and PHP. All these files are nicely tucked in folders inside your hosting server.

When a visitor clicks on your domain name or any of its derivatives, they land on your webpage. The specific folder containing the information they want downloads to their browser. Now the browser interprets this information and shows it to them.

But what if you don’t want to access your website using a browser? What if you want to access it from a custom admin software or even a mobile application?


The WordPress XML-RPC covers this problem.

XML-RPC is an API that wraps the essential information inside a simple XML file and sends it to the mobile app or remote software. The mobile application then inflates this information with its own preconfigured design. The mobile app in this case no longer needs to download substantial webpage files, and you can still access your data in a nifty app.

As good as it seems, the only issue is that you will have to send your username and password every time you want to authenticate via XML-RPC. This makes it very vulnerable to a hacker’s attack.

How XML-RPC Makes You Vulnerable

XML-RPC leaves your site vulnerable to attack in at least two ways: brute force attacks and theft of login credentials.

1. Brute Force Attacks

Attackers attempt to infect your website using a brute force attack.


A brute force attack is merely a guessing game. The attacker attempts to guess your password over and over again until they are successful.

It happens several thousands of times per second so they can try millions of combinations in a short period.

On a WordPress site you can easily limit brute force attacks by capping the login attempts for your website. However, the problem with XML-RPC is that it doesn’t cap login attempts on your site.

An attacker can keep guessing by fooling your server that they are an admin seeking to retrieve some information. And because they don’t have the correct credentials, they’re not able to access your site yet, so they keep trying several times with no end.

Since there is no limit to the number of trials, it’s only a matter of time before they gain access. This way a hacker can also easily bring down a site by doing an XML-RPC DDOS attack (by sending waves of “pingback” requests to XML-RPC to overload and crash the server).

2. Intercepting/Stealing Login Information


Another weakness of the XML-RPC is the inefficient authentication system. Every time you send a request to access your website, you must also submit your login credentials. This means your username and password is exposed.

Hackers may be lurking around the corner to intercept this packet of information. Once they are successful, they don’t need to go through the rigors of brute force attacks anymore. They simply waltz into your website using your valid credentials.

Should I Disable XML-RPC in WordPress?

Since WordPress version 3.5, there has been so much improvement to the XML-RPC code that the WordPress team deemed it safe enough to be enabled by default. If you are relying on mobile apps or remote software to manage your WordPress site, you probably shouldn’t disable XML-RPC.

If you are very conscious of your server’s security, it may be better to disable it since it covered up one possible way that hackers can use to attack your site.

How to Disable XML-RPC in WordPress

XML-RPC is enabled by default in WordPress, but there are several ways to disable it.

Note: if you are using the popular JetPack plugin, you cannot disable XML-RPC, as it is required for Jetpack to communicate with the server. Also, before disabling XML-RPC, make sure that none of your plugins or themes are using it.

Disabling XML-RPC

1. Locate your theme folder (usually in “wp-content/themes/”), and open the “functions.php” file.

2. Paste the following commands to the end of the file:

// Disable use XML-RPC
add_filter( 'xmlrpc_enabled', '__return_false' );

Save the “functions.php” file. This will turn off XML-RPC functionality in WordPress. Do note that this method only disables XML-RPC, but it doesn’t stop hackers from attacking your site since the xml-rpc.php file is around.

Blocking Access to XML-RPC file

The best way to prevent hackers from attacking is to block access to the xml-rpc file.

Apache server

If your WordPress site is running on a Apache server (if you see a “.htaccess” file in your WordPress installation folder, you can be pretty sure that your site is hosted on an Apache server), follow these steps.

1. Log in to your CPanel. Search for File Manager.


2. Open the file manager. Navigate to the “public_html” folder and then the “.htaccess” document.


3. Right-click to edit the file.


4. At the bottom of the file paste the following code:

# Disallow all WordPress xmlrpc.php requests to this domain
<Files xmlrpc.php>
order deny,allow
deny from all


5. Save and exit.

Nginx server

For the Nginx server, paste the following code to your server config file:

# nginx block xmlrpc.php requests
location /xmlrpc.php {
    deny all;

Now your site is secure from attacks.

In Conclusion

Brute force attacks and data theft will continue to pose problems for site owners. It is your duty to make sure your site is safe. Disabling XML-RPC is one effective way to do this. Follow the guide above, and protect your website and visitors from hackers now.

Nicholas Godwin
Nicholas Godwin

Nicholas Godwin is a technology researcher who helps businesses tell profitable brand stories that their audiences love. He's worked on projects for Fortune 500 companies, global tech corporations and top consulting firms, from Bloomberg Beta, Accenture, PwC, and Deloitte to HP, Shell, and AT&T. You may follow his work on Twitter or simply say hello. His website is Tech Write Researcher.

Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox