If you want to check whether XML-RPC is enabled on a WordPress site, you’re in the right place. XML-RPC is a feature that allows remote connections to a WordPress site. It’s used for mobile apps, external publishing tools, and plugins.
But sometimes, you may want to know if XML-RPC is active on another WordPress site. Why? It could be for testing, security checks, or troubleshooting.
In this guide, you’ll learn what XML-RPC is, why you should check it, and how to check if it’s enabled on another WordPress site.
What Is XML-RPC in WordPress?
XML-RPC protocol allows your WordPress site to communicate with other tools, apps, or websites. It works like a bridge between your WordPress site and third-party applications.
With XML-RPC enabled, you can:
- Post to WordPress using mobile apps or external publishing tools.
- Use specific plugins that rely on remote access.
- Connect with Jetpack for advanced features.
However, since XML-RPC allows remote connections, hackers sometimes target it. For this reason, many site owners disable it for security reasons.
How to Check If XML-RPC Is Enabled on Another WordPress Site
Here are several easy methods to check for XML-RPC on any WordPress site. You don’t need to log in or install plugins for most of these methods.
1. Check the URL Directly
The fastest way to check if XML-RPC is active is to access the xmlrpc.php file directly.
Steps to Check XML-RPC
- Open your web browser.
- Enter this URL in the address bar:
https://example.com/xmlrpc.php
(Replace example.com with the website URL you want to check.)
- Look at the response on the screen.
Possible Results
- Response 1: “XML-RPC server accepts POST requests only.”
- This means XML-RPC is enabled.
- Response 2: 403 Forbidden or 404 Not Found
- This means XML-RPC is disabled or blocked.
- Response 3: Blank page
- The file may exist, but a security plugin or server rules block it.
Quick Tip: If you see the “XML-RPC server accepts POST requests only” message, XML-RPC is enabled and working.
2. Use an Online XML-RPC Checker Tool
If you don’t want to do it manually, use an online XML-RPC checker tool. These tools automatically check if the XML-RPC file exists and is accessible.
How to Use an Online Checker
- Go to a free tool like https://xmlrpc.eritreo.it/.
- Enter the site URL you want to check (like https://example.com).
- Click Check.
Possible Results
- XML-RPC enabled: It will confirm that the file exists and is accessible.
- XML-RPC disabled: It will show an error message or “not found.”
This is one of the easiest ways to check if XML-RPC is enabled on another site.
3. Use Command Line (cURL Method)
If you know how to use the command line (like Command Prompt, Terminal, or SSH), you can use the cURL command to check XML-RPC.
Steps to Check XML-RPC with cURL
Open Command Prompt (Windows) or Terminal (Mac/Linux).
Type this command:
curl -I https://example.com/xmlrpc.php
Check the response.
Possible Results
- 200 OK: XML-RPC is enabled, and the file is accessible.
- 403 Forbidden: The file exists but is blocked.
- 404 Not Found: The file does not exist or is disabled.
This method helps check multiple websites in a batch using a script.
4. Check HTTP Response Headers
Another way to check XML-RPC is to inspect the HTTP headers. This tells you if the server allows access to the xmlrpc.php file.
Steps to Check HTTP Headers
- Open the website in your browser.
- Right-click anywhere on the page and select Inspect or Inspect Element.
- Click the Network tab.
- In the filter bar, type xmlrpc.php.
- Reload the page.
Possible Results
- If the file appears in the list, it’s likely active.
- If it shows a 403 or 404 status, the file is disabled or blocked.
This method gives you more detailed information about the server response.
5. Use Browser Extensions
You can also check for XML-RPC using browser extensions that detect page files.
Recommended Extensions
- Wappalyzer (for Chrome, Firefox)
- BuiltWith (for Chrome)
How to Use These Extensions
- Install Wappalyzer or BuiltWith on your browser.
- Visit the website you want to check.
- Click on the extension icon.
The extension may display if XML-RPC is enabled on the site. If not, you’ll have to use one of the previous methods.
How to Disable XML-RPC on Your Site
If you find that XML-RPC is active on your site and want to disable it for security, here’s how you can do it.
Method 1: Use a Security Plugin
- Install a plugin like Wordfence or All In One WP Security.
- Go to the plugin settings.
- Look for an option to Disable XML-RPC and enable it.
Method 2: Use .htaccess File
Access your .htaccess file using FTP or your hosting file manager.
Add this code to the file:
<Files xmlrpc.php>
Order Allow, Deny
Deny from all
</Files>
Save the file.
This method blocks access to xmlrpc.php completely.
FAQs
1. What happens if XML-RPC is disabled?
If XML-RPC is disabled, you can’t use mobile apps, Jetpack, or remote tools to manage your site. But you will improve security by blocking potential hackers.
2. Is it safe to disable XML-RPC?
Yes, it’s safe if you’re not using Jetpack or remote publishing tools. Most WordPress sites don’t need XML-RPC anymore.
3. How do I know if XML-RPC is enabled on my site?
Visit yourdomain.com/xmlrpc.php and look for the message “XML-RPC server accepts POST requests only.”
Conclusion
Checking if XML-RPC is active on another WordPress site is simple. You can use direct URL access, online tools, cURL commands, or browser extensions. If you see the message “XML-RPC server accepts POST requests only,” XML-RPC is enabled.
If you manage your WordPress site, consider disabling XML-RPC unless you need it for Jetpack or mobile publishing. Doing so can improve security.
Use the methods outlined in this guide, and you can check XML-RPC status on any WordPress site in minutes. If you have a website, you know how to protect it, too.
