How to Disable XML-RPC in WordPress

XML-RPC service was disabled by default for the longest time mainly due to security reasons. In WordPress 4.9, this is about to change. XML-RPC will be enabled by default, and the ability to turn it off from your WordPress dashboard is going away. In this article, we will show you how to disable XML-RPC in WordPress and talk further about the decision of having it enabled by default.

What is XML-RPC?

According to Wikipedia, XML-RPC is a remote procedure call which uses XML to encode its calls and HTTP as a transport mechanism. In short, it is a system that allows you to post on your WordPress blog using popular weblog clients like Windows Live Writer. It is also needed if you are using the WordPress mobile app. It is also needed if you want to make connections to services like IFTTT.

If you want to access and publish to your blog remotely, then you need XML-RPC enabled.

In the past, there were security concerns with XML-RPC thus it was disabled by default. In his comment on trac ticket #21509, @nacin one of the core contributors of WordPress said:

Quite a bit has changed since we introduced off-by-default for XML-RPC. Their code has improved, and it is no longer considered a second-class citizen when it comes to API development, thanks to the work of a large team of awesome contributors. Security is no greater a concern than the rest of core.

There is no longer a compelling reason to disable this by default. It’s time we should remove the option entirely.

With the increasing use of mobile, this change was imminent. However some security cautious folks may say that while the XML-RPC’s security is not that big of an issue, it still provides an additional surface for attack if a vulnerability was ever found. Thus, keeping it disabled would make more sense.

To keep everyone happy, while the user interface option and the database option to turn off XML-RPC has been removed, there is a filter that you can use to turn it off if needed.

How to Disable XML-RPC in WordPress 5.2

All you have to do is paste the following code in a site-specific plugin:

1
add_filter('xmlrpc_enabled', '__return_false');

Alternatively, you can just install the plugin called Disable XML-RPC. All you have to do is activate it. It does the exact same thing as the code above.

How to Disable WordPress XML-RPC with .htaccess

While the above solution is sufficient for many, it can still be resource intensive for sites that are getting attacked.

In those cases, you may want to disable all xmlrpc.php requests from the .htaccess file before the request is even passed onto WordPress.

Simply paste the following code in your .htaccess file:

1
2
3
4
5
6
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from 123.123.123.123
</Files>

Because we do not use any mobile app or remote connections to publish on MyWebCode, we will be disabling XML-RPC by default. What are your thoughts on the issue?

Share on:

Hello, I am Dharmendra Yadav and I am a Python Developer with experience in web development using Django, Flask, REST API, SQL, MySQL, HTML, CSS, JavaScript, WordPress, Oracle Cloud, AWS and Git. I also write technical articles where I explain web development and Software Engineering. Facebook , Linkedin

Leave a Comment