What Is Xmlrpc.php in WordPress

What Is Xmlrpc.php in WordPress

What Is Xmlrpc.php in WordPress and Why You Should Disable It

Many owners of WordPress sites need to realize that one of the WordPress features may be used to enable a brute hacker attack on your site. You should learn what Xmlrpc.php is and why it can cause security issues.

In this article, you will learn about xmlrpc.php in detail to improve your WordPress site security.

What is xmlrpc.php

When Internet connections were slow, webmasters would write the content and website updates offline and upload them onto the web online. But this process was terrible and time-consuming. That is why web developers built an offline client that allowed creating content offline and connecting to CMS (content management system) to publish it through XML-RPC (Extensible Markup Language Remote Procedure Call).

In simple words, it allowed the transmission and processing of complex data from one device to another regardless of operating systems and browsers. Also, webmasters used XML-RPC to log in to the admin panel of their WordPress sites from different devices.

As you may have guessed, WordPress still uses XML-RPC because it needs to transmit data from other systems. For example, you can use trackbacks (trackbacks are a way to notify legacy blog systems that you’ve linked to them) or use remote access to the WordPress site via smartphone.

Unfortunately, the new WordPress API is still in trial, and XML-RPC can’t be eliminated now. The API is quite an unreliable solution despite providing more website security.

Why is using XML-RPC not secure?

Reasons why disabling xmlrpc.php is recommended

If xmlrpc.php is a helpful feature of the WordPress platform, why do web security experts recommend disabling that?

That is an unpleasant truth, but hackers can use Xmlrpc.php to attack WordPress sites despite using solid passwords or advanced security plugins.

Experts know about two principal Xmlrpc.php vulnerabilities which hackers have exploited.

The first vulnerability is hackers use xmlrpc.php to get access to the WordPress site by testing different passwords. Usually, they are successful in bypassing many security plugins via this method.

The second vulnerability is hackers can use the pingback feature for DDoS attacks. A pingback is a comment created when you link to another blog post where pingbacks are enabled. In this way, hackers can take thousands of sites offline.

So, the best mode of protection is to disable Xmlrpc.php. How to do that?

Three ways to disable Xmlrpc.php

In 2008 WordPress 2.6 (release 2008), developers added a feature that allowed disabling XML-RPC. But since the WordPress iPhone app release, XML-RPC has been enabled by default, and users can’t disable that. So, webmasters need other ways to do that.

Before using one of these methods, check if XML-RPC runs on the WordPress site. Sometimes WordPress developers may disable Xmlrpc.php without the website owner’s approval. Run the website through one of the online tools to check xmlrpc.php is enabled.

Using the code to disable Xmlrpc.php

This method requires you to add code to your website’s functions.php file manually. This code disables the XML-RPC:

add_filter('xmlrpc_enabled', '__return_false');

If you haven’t edited WordPress core ever, it’d be better to use the following method of disabling XML-RPC.

Using the plugin to disable Xmlrpc.php

It is the easiest method to disable Xmlrpc.php on many WordPress sites.

You need to search for Disable XML-RPC plugin and install it. Then activate the plugin, and it will implement the code automatically. This plugin has no settings that a user should configure.

But if you completely disable XML-RPC, you may face a plugin conflict that causes disabling some website functions.

Using the .htaccess file to disable Xmlrpc.php

Some WordPress users don’t like to use plugins. Adding code manually to the .htaccess file will stop all incoming xmlrpc.php requests.

Open up your .htaccess file and paste the following code:

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx

As you can see, this method allows remote access for you or your team by your or any trusted IP address while restricting other requests. But if you want to disable XML-RPC completely using .htaccess, remove allow from xxx.xxx.xxx.xxx.


Generally, Xmlrpc.php was a robust solution for WordPress sites, but now it may be a source of problems and cause security issues.

To improve your WordPress site security, disabling XML-RPC is the best solution.

On the other hand, disabling the XML-RPC may cause issues with website functionality because some plugins use this feature. So, if you face some problems after disabling XML-RPC, you need to contact WordPress professionals. They can tailor the optimal solutions, for example, plugins, that allow using these features and improve website security simultaneously.

Share this post

Leave a Reply

Your email address will not be published. Required fields are marked *