How to Disable XML-RPC in WordPress

Learn how to disable XML-RPC in WordPress to improve your website’s security and prevent potential attacks.

add_filter('xmlrpc_enabled','__return_false');

add_action('init',function() {
    if(strpos($_SERVER['REQUEST_URI'],'xmlrpc.php') !== false) {
        wp_redirect(home_url()); 
        exit;
    }
});

Quick Steps to Disable XML-RPC in WordPress

Follow these simple steps to disable XML-RPC on your WordPress site:

1. Install and activate the WPCodeBox plugin, then navigate to WPCodeBox 2 in your WordPress dashboard.
2. Copy the code snippet above and paste it into the WPCodeBox code editor.
3. Give your snippet a descriptive title (like “Disable XML-RPC”), select PHP as the type, then click Save.
4. Enable the snippet by toggling the switch to the active position.
5. Test the changes by trying to access yourdomain.com/xmlrpc.php to verify it redirects to your homepage.

That’s it! XML-RPC is now disabled on your WordPress site.

Disable XML-RPC in WordPress – Additional Information

XML-RPC Security Risks

XML-RPC in WordPress is a legacy protocol that allows remote communication with external systems and applications. While it served an important function before WordPress introduced the REST API, it now poses significant security risks and has become a prime target for various attacks.

The most serious threat comes from brute force attacks. Attackers can exploit the xmlrpc.php file to launch automated attacks that attempt to gain unauthorized access by testing thousands of username and password combinations. 

The XML-RPC protocol includes methods that allow hackers to send hundreds or thousands of authentication attempts simultaneously, dramatically increasing their chances of success. Unlike standard login pages, XML-RPC can bypass security measures such as reCAPTCHA, login attempt limits, and even two-factor authentication.

Another major concern is DDoS attacks. The pingback feature, when combined with xmlrpc.php, allows distributed denial of service attacks that can completely overwhelm your server. Hackers can send massive numbers of pingback requests in a short timeframe, consuming server resources and bandwidth until the site becomes inaccessible to legitimate visitors.

Modern Alternatives to XML-RPC

The REST API is now the modern standard for programmatic WordPress access, introduced in WordPress 4.4. It uses JSON over HTTP instead of XML, resulting in significantly better performance due to JSON’s lightweight format. 

The REST API offers token-based authentication, OAuth support, and application passwords, providing substantially stronger security than XML-RPC’s basic authentication.

When XML-RPC Is Still Needed

Despite REST API’s advantages, some services still rely on XML-RPC. Both Jetpack and WordPress mobile apps continue using XML-RPC for their operations. Jetpack uses XML-RPC to establish connections between self-hosted WordPress sites and WordPress.com, allowing the two services to communicate effectively.

WordPress mobile apps, including the Android app, still depend on XML-RPC rather than REST API for their core functionality. This means disabling XML-RPC will break the mobile app feature on your site.