{"id":14620,"date":"2026-01-17T12:02:14","date_gmt":"2026-01-17T12:02:14","guid":{"rendered":"https:\/\/www.copebusiness.com\/?p=14620"},"modified":"2026-02-07T10:16:45","modified_gmt":"2026-02-07T10:16:45","slug":"disable-xml-rpc-wordpress","status":"publish","type":"post","link":"https:\/\/www.copebusiness.com\/fr\/security\/desactive-xml-rpc-wordpress\/","title":{"rendered":"How to Disable XML-RPC in WordPress for Better Security"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"14620\" class=\"elementor elementor-14620\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-5d618788 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"5d618788\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-5b78d1ee\" data-id=\"5b78d1ee\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-36d6850b elementor-widget elementor-widget-text-editor\" data-id=\"36d6850b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\n<p class=\"wp-block-paragraph\">XML-RPC is a legacy WordPress feature that allows remote access and management of your site \u2014 including posting from apps, Jetpack, and the WordPress mobile app. While useful in the past, it has become a major security risk, as attackers frequently exploit it for brute-force login attempts, DDoS attacks, and XML-RPC pingback floods. Disabling XML-RPC is one of the simplest and most effective security measures you can take, especially if you don&#8217;t use remote publishing tools. At Cope Business, we always recommend disabling XML-RPC (unless needed) during our <a href=\"https:\/\/www.copebusiness.com\/technical-seo-services\/technical-seo-audit-service\/\" target=\"_blank\" rel=\"noreferrer noopener\">technical SEO audit services<\/a> to reduce attack surface and improve overall site protection.<\/p><div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 ez-toc-wrap-left counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">On this page<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #0a0a0a;color:#0a0a0a\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #0a0a0a;color:#0a0a0a\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.copebusiness.com\/fr\/security\/desactive-xml-rpc-wordpress\/#Why_Disable_XML-RPC_in_WordPress\" >Why Disable XML-RPC in WordPress?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.copebusiness.com\/fr\/security\/desactive-xml-rpc-wordpress\/#When_NOT_to_Disable_XML-RPC\" >When NOT to Disable XML-RPC<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.copebusiness.com\/fr\/security\/desactive-xml-rpc-wordpress\/#3_Methods_to_Disable_XML-RPC_in_WordPress\" >3 Methods to Disable XML-RPC in WordPress<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.copebusiness.com\/fr\/security\/desactive-xml-rpc-wordpress\/#How_to_Verify_XML-RPC_Is_Disabled\" >How to Verify XML-RPC Is Disabled<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.copebusiness.com\/fr\/security\/desactive-xml-rpc-wordpress\/#Additional_Security_Tips\" >Additional Security Tips<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.copebusiness.com\/fr\/security\/desactive-xml-rpc-wordpress\/#Final_Thoughts\" >Final Thoughts<\/a><\/li><\/ul><\/nav><\/div>\n\n\n<p class=\"wp-block-paragraph\">This guide explains why you should disable XML-RPC, when it&#8217;s safe to do so, and three reliable methods to turn it off in WordPress.<\/p>\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Why_Disable_XML-RPC_in_WordPress\"><\/span>Why Disable XML-RPC in WordPress?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n<ul class=\"wp-block-list\">\n<li><strong>Brute-Force Attacks<\/strong> \u2014 XML-RPC allows unlimited login attempts without rate limiting.<\/li>\n\n<li><strong>DDoS Amplification<\/strong> \u2014 Attackers can use pingbacks to overload your server.<\/li>\n\n<li><strong>Pingback Spam<\/strong> \u2014 Enables spammers to send automated trackback spam.<\/li>\n\n<li><strong>Legacy &amp; Unused<\/strong> \u2014 Most users rely on REST API (more secure) for remote access.<\/li>\n\n<li><strong>Performance &amp; Security<\/strong> \u2014 Disabling it reduces unnecessary requests and potential vulnerabilities.<\/li>\n<\/ul>\n\n<p class=\"wp-block-paragraph\">If you use Jetpack, the WordPress mobile app, or remote publishing, you may need XML-RPC enabled \u2014 otherwise, disabling it is highly recommended.<\/p>\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"When_NOT_to_Disable_XML-RPC\"><\/span>When NOT to Disable XML-RPC<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n<p class=\"wp-block-paragraph\">Keep it enabled only if you actively use:<\/p>\n\n<ul class=\"wp-block-list\">\n<li>Jetpack (some features require XML-RPC)<\/li>\n\n<li>WordPress mobile apps<\/li>\n\n<li>Remote posting tools (e.g., Windows Live Writer, MarsEdit)<\/li>\n\n<li>Certain plugins that rely on XML-RPC<\/li>\n<\/ul>\n\n<p class=\"wp-block-paragraph\">Most modern alternatives use the REST API, so disabling is safe for 90%+ of users.<\/p>\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"3_Methods_to_Disable_XML-RPC_in_WordPress\"><\/span>3 Methods to Disable XML-RPC in WordPress<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n<h3 class=\"wp-block-heading\">Method 1: Using a Plugin (Easiest &amp; Recommended)<\/h3>\n\n<p class=\"wp-block-paragraph\">Plugins offer one-click disabling with additional security benefits.<\/p>\n\n<p class=\"wp-block-paragraph\"><strong>Recommended Plugin<\/strong>: Disable XML-RPC (Free &amp; Simple)<\/p>\n\n<ol class=\"wp-block-list\">\n<li>Install and activate <strong>Disable XML-RPC<\/strong> from <strong>Plugins &gt; Add New<\/strong>.<\/li>\n\n<li>That&#8217;s it \u2014 the plugin immediately disables all XML-RPC requests.<\/li>\n\n<li>No configuration needed \u2014 it works instantly.<\/li>\n<\/ol>\n\n<p class=\"wp-block-paragraph\"><strong>Alternative<\/strong>: <strong>All in One WP Security &amp; Firewall<\/strong> (free) \u2014 Enable the XML-RPC disable option in settings.<\/p>\n\n<p class=\"wp-block-paragraph\"><strong>Pros<\/strong>: Instant, reversible, adds extra security layers. <strong>Cons<\/strong>: Adds one more plugin (very lightweight).<\/p>\n\n<h3 class=\"wp-block-heading\">Method 2: Disable via .htaccess (No Plugin \u2013 Most Reliable)<\/h3>\n\n<p class=\"wp-block-paragraph\">This Apache method completely blocks access to xmlrpc.php.<\/p>\n\n<ul class=\"wp-block-list\">\n<li>Access your site via FTP or hosting file manager.<\/li>\n\n<li>Locate .htaccess in the root directory (backup first!).<\/li>\n\n<li>Add this code at the top:<\/li>\n<\/ul>\n\n<pre class=\"wp-block-code\"><code>text<code># Disable XML-RPC &lt;Files xmlrpc.php&gt; order deny,allow deny from all &lt;\/Files&gt;<\/code><\/code><\/pre>\n\n<ul class=\"wp-block-list\">\n<li>Save and upload.<\/li>\n\n<li>Test: Try accessing yourdomain.com\/xmlrpc.php \u2014 you should see a 403 Forbidden error.<\/li>\n<\/ul>\n\n<p class=\"wp-block-paragraph\"><strong>Note<\/strong>: Works only on Apache servers. For NGINX, contact your host to add the equivalent rule.<\/p>\n\n<h3 class=\"wp-block-heading\">Method 3: Disable via Code in functions.php (Custom &amp; Lightweight)<\/h3>\n\n<p class=\"wp-block-paragraph\">Add this to your child theme&#8217;s functions.php or via WPCode plugin:<\/p>\n\n<p class=\"wp-block-paragraph\">PHP<\/p>\n\n<pre class=\"wp-block-code\"><code>add_filter( 'xmlrpc_enabled', '__return_false' );<\/code><\/pre>\n\n<p class=\"wp-block-paragraph\">This disables XML-RPC completely and safely without blocking the file.<\/p>\n\n<p class=\"wp-block-paragraph\"><strong>Pros<\/strong>: No extra files\/plugins. <strong>Cons<\/strong>: Requires child theme or snippet plugin.<\/p>\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"How_to_Verify_XML-RPC_Is_Disabled\"><\/span>How to Verify XML-RPC Is Disabled<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n<ul class=\"wp-block-list\">\n<li>Visit yourdomain.com\/xmlrpc.php \u2014 should return 403 or blank page.<\/li>\n\n<li>Use online tools like xmlrpcpingback.com or security scanners.<\/li>\n\n<li>Check server logs for blocked XML-RPC requests.<\/li>\n<\/ul>\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Additional_Security_Tips\"><\/span>Additional Security Tips<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n<ul class=\"wp-block-list\">\n<li>Combine with login attempt limiting (see our <a href=\"https:\/\/www.copebusiness.com\/security\/limit-login-attempts-wordpress\/?referrer=grok.com\" target=\"_blank\" rel=\"noreferrer noopener\">guide<\/a>).<\/li>\n\n<li>Enable 2FA and strong passwords.<\/li>\n\n<li>Keep WordPress, themes, and plugins updated.<\/li>\n\n<li>Use a security plugin like Wordfence for monitoring.<\/li>\n<\/ul>\n\n<p class=\"wp-block-paragraph\">Disabling XML-RPC is a quick win that reduces risk significantly.<\/p>\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Final_Thoughts\"><\/span>Final Thoughts<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n<p class=\"wp-block-paragraph\">XML-RPC is a legacy feature that no longer provides meaningful benefits for most users \u2014 disabling it is a smart security decision. Use a plugin for simplicity or .htaccess\/code for maximum efficiency.<\/p>\n\n<p class=\"wp-block-paragraph\">A more secure site is a faster, more trusted site.<\/p>\n\n<p class=\"wp-block-paragraph\">Experiencing security concerns or need a full site hardening audit? <a href=\"https:\/\/www.copebusiness.com\/contact\/\" target=\"_blank\" rel=\"noreferrer noopener\">Contact Cope Business<\/a> for a free technical SEO consultation \u2014 we&#8217;ll secure your WordPress site and optimize it for performance and peace of mind.<\/p>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>XML-RPC is a legacy WordPress feature that allows remote access and management of your site &mdash; including posting from apps, [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":14622,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"set","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[189],"tags":[],"class_list":["post-14620","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security"],"jetpack_publicize_connections":[],"_links":{"self":[{"href":"https:\/\/www.copebusiness.com\/fr\/wp-json\/wp\/v2\/posts\/14620","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.copebusiness.com\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.copebusiness.com\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.copebusiness.com\/fr\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.copebusiness.com\/fr\/wp-json\/wp\/v2\/comments?post=14620"}],"version-history":[{"count":4,"href":"https:\/\/www.copebusiness.com\/fr\/wp-json\/wp\/v2\/posts\/14620\/revisions"}],"predecessor-version":[{"id":15664,"href":"https:\/\/www.copebusiness.com\/fr\/wp-json\/wp\/v2\/posts\/14620\/revisions\/15664"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.copebusiness.com\/fr\/wp-json\/wp\/v2\/media\/14622"}],"wp:attachment":[{"href":"https:\/\/www.copebusiness.com\/fr\/wp-json\/wp\/v2\/media?parent=14620"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.copebusiness.com\/fr\/wp-json\/wp\/v2\/categories?post=14620"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.copebusiness.com\/fr\/wp-json\/wp\/v2\/tags?post=14620"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}