How to disable XML-RPC

7 April 2022

Most attacks on WordPress websites target the wp-login.php and xmlrpc.php files. In this article I look at how you can protect the latter file.

What is XML-RPC?

XML-RPC is a protocol for making calls over the internet. WordPress mainly uses it for pingbacks, but it is also used by apps that manage WordPress websites. So, disabling pingbacks can affect your website’s functionality.

Pingbacks

Pingbacks date back to the blogging boom in the mid-noughties. If you add a link to someone else’s blog in one of your blog posts then your website can automatically ping the other website. The site you linked to then adds a notification in the comments section of the blog post you linked to, with a link back to your blog. In other words, the idea is to connect like-minded bloggers.

Unfortunately, pingbacks are mostly used by spammers – chances are you quickly get lots of pings from dodgy websites selling dubious products. You can disable pingbacks via Settings » Discussion. There are two settings to look out for:

• Attempt to notify any blogs linked to from the post sends a ping to a website you link to. If the website has enabled pingbacks then a link to your blog post appears in the comment section.
• Allow link notifications from other blogs does the opposite. If this setting is enabled any website can get a link to their website on your website.

WordPress apps

If you use an up-to-date app to manage your WordPress website then you don’t need XML-RPC. The protocol has largely been superseded by the more modern REST API. So, if you use an app that still relies on XML-RPC then you probably want to look for a better app, as it is very likely that the app is out of date and no longer maintained. XML-RPC has various security vulnerabilities, so using an unmaintained app that relies on old technology is not recommended.

How to disable XML-RCP

As always, there are plenty of plugins that can disable XML-RPC. Alternatively, you can deny access to the file by adding this rule to your website’s .htaccess file:

<Files "xmlrpc.php">
  Require all denied
</Files>

You can also make an exception for your IP address, so that everybody apart from you is denied access to the file. My article about denying access to files using the .htaccess file explains how you can tweak the rule.

Other tips

This article is part of a series about things you can do to optimise your WordPress website and make it more secure. You might also be interested in these articles:

• Change the default WordPress login URL
• How to replace the default WordPress cron
• How to protect WordPress comment forms