If you’re worried about your website’s security, disabling XML-RPC in WordPress is a smart move. Hackers often target XML-RPC to access websites remotely, making it a popular attack entry point. Disabling it can protect your site from brute force attacks, DDoS attacks, and spam comments.
In this guide, you’ll learn why you should disable it and how to disable it using simple, step-by-step methods. No technical skills are required — just follow the steps.
Why Should You Disable XML-RPC?
XML-RPC is a powerful tool, but it’s also a major security risk. Here’s why you should consider disabling it:
- Brute Force Attacks
- Hackers use XML-RPC to try thousands of username-password combinations at once.
- Each attempt counts as a login attempt, making it easier for them to hack into your site.
- DDoS Attacks
- Attackers send multiple requests to the XML-RPC file, causing your site to slow down or crash.
- Disabling XML-RPC can prevent these attacks from happening.
- Reduce Server Load
- XML-RPC can overload your server with requests.
- Blocking it reduces unnecessary traffic and speeds up your website.
- Block Spam
- Some spammers use XML-RPC to post spam comments or send fake pingbacks.
- Disabling it will stop them from doing this.
If you don’t use tools like Jetpack or the WordPress mobile app, you don’t need XML-RPC. Disabling it will make your site safer and faster.
How to Check If XML-RPC Is Enabled on Your Site
Before you disable it, you should check if XML-RPC is active. Here’s how to do it:
Open your web browser.
Enter this URL:
https://yourwebsite.com/xmlrpc.php
(Replace yourwebsite.com with your site URL.)
Look at the response on the screen.
Possible Results:
- If you see “XML-RPC server accepts POST requests only,” XML-RPC is enabled.
- If you see 404 Not Found or 403 Forbidden, it’s already disabled.
If it’s enabled, it’s time to disable it. Follow the methods below.
How to Disable XML-RPC in WordPress
You can disable XML-RPC in different ways. We’ll cover the simplest and most effective methods.
1. Disable XML-RPC Using a Plugin
The easiest way to disable XML-RPC is to use a security plugin. No coding is required.
Steps to Disable XML-RPC Using a Plugin
- Log in to your WordPress dashboard.
- Go to Plugins > Add New.
- Search for Disable XML-RPC or Disable XML-RPC-API.
- Install and activate the plugin.
Once activated, the plugin automatically disables XML-RPC for your website. No extra settings are needed.
Best Plugins to Use
- Disable XML-RPC (simple, lightweight, and automatic)
- Wordfence Security (blocks XML-RPC and adds other security features)
- All In One WP Security (offers full control over WordPress security)
This is the simplest and fastest method for beginners.
2. Disable XML-RPC Using .htaccess File
You can disable XML-RPC directly from the .htaccess file if you want a more manual approach. This method works well if you don’t want to use plugins.
Steps to Disable XML-RPC Using .htaccess
Access your website files using FTP or your hosting file manager.
Locate the .htaccess file in your site’s root directory.
Open the .htaccess file for editing.
Add this code at the bottom of the file:
<Files xmlrpc.php>
Order Allow, Deny
Deny from all
</Files>
Save the file and close it.
Once you save it, XML-RPC will be disabled. If you visit https://yourwebsite.com/xmlrpc.php, it will show 403 Forbidden.
Note: Be careful when editing the .htaccess file. A small mistake can crash your site.
3. Disable XML-RPC Using wp-config.php
Another option is to add a rule to your wp-config.php file.
Steps to Disable XML-RPC Using wp-config.php
Access your website files using FTP or the hosting file manager.
Open the wp-config.php file for editing.
Add this line at the end of the file:
add_filter( ‘xmlrpc_enabled’, ‘__return_false’ );
Save the file and close it.
This code tells WordPress to turn off XML-RPC for your entire site.
Note: If you’re unfamiliar with FTP or file editing, use a plugin instead.
4. Disable XML-RPC Using a Security Plugin (Wordfence, Sucuri)
Security plugins like Wordfence and Sucuri offer an easy option to block XML-RPC.
Steps to Disable XML-RPC Using Wordfence
- Install and activate Wordfence Security.
- Go to Wordfence > Firewall.
- Look for the option to block XML-RPC requests.
- Turn it on and save the changes.
Benefits of This Method:
- You get extra security features like firewall protection and malware scans.
- No need to edit files or add custom code.
5. Disable XML-RPC Using Cloudflare
If you use Cloudflare to manage your website, you can block XML-RPC requests.
Steps to Disable XML-RPC Using Cloudflare
- Log in to Cloudflare.
- Go to the Firewall Rules section.
- Create a new Firewall Rule.
- Set the rule to Block requests to /xmlrpc.php.
Cloudflare will block all incoming requests to /xmlrpc.php, protecting your site.
How to Test If XML-RPC Is Disabled
After you’ve disabled XML-RPC, you should test it to ensure it’s off. Here’s how:
Visit this URL:
https://yourwebsite.com/xmlrpc.php
Check the message you see on the page.
Possible Results:
- 403 Forbidden or 404 Not Found = Success! XML-RPC is disabled.
- “XML-RPC server accepts POST requests only” = XML-RPC is still active.
If you see 403 Forbidden, XML-RPC is blocked, and your site is more secure.
Final Thoughts
Disabling XML-RPC in WordPress is one of the easiest ways to boost security. Hackers often use XML-RPC to launch attacks, so blocking it will reduce the risk.
Here’s a quick recap of how to disable XML-RPC:
- Use a plugin like Disable XML-RPC (the fastest method)
- Edit the .htaccess file (manual method)
- Add code to wp-config.php (simple and effective)
- Use security plugins like Wordfence or Sucuri
Once XML-RPC is disabled, test it by visiting https://yourwebsite.com/xmlrpc.php. If you see 403 Forbidden, it’s successfully blocked.
If you don’t need Jetpack or remote publishing tools, disable XML-RPC today and make your website safer. A few minutes of work could save you from hours of security issues later.
