XML-RPC is a legacy WordPress feature that allows remote access and management of your site — including posting from apps, Jetpack, and the WordPress mobile app. While useful in the past, it has become a major security risk, as attackers frequently exploit it for brute-force login attempts, DDoS attacks, and XML-RPC pingback floods. Disabling XML-RPC is one of the simplest and most effective security measures you can take, especially if you don’t use remote publishing tools. At Cope Business, we always recommend disabling XML-RPC (unless needed) during our technical SEO audit services to reduce attack surface and improve overall site protection.
This guide explains why you should disable XML-RPC, when it’s safe to do so, and three reliable methods to turn it off in WordPress.
Why Disable XML-RPC in WordPress?
- Brute-Force Attacks — XML-RPC allows unlimited login attempts without rate limiting.
- DDoS Amplification — Attackers can use pingbacks to overload your server.
- Pingback Spam — Enables spammers to send automated trackback spam.
- Legacy & Unused — Most users rely on REST API (more secure) for remote access.
- Performance & Security — Disabling it reduces unnecessary requests and potential vulnerabilities.
If you use Jetpack, the WordPress mobile app, or remote publishing, you may need XML-RPC enabled — otherwise, disabling it is highly recommended.
When NOT to Disable XML-RPC
Keep it enabled only if you actively use:
- Jetpack (some features require XML-RPC)
- WordPress mobile apps
- Remote posting tools (e.g., Windows Live Writer, MarsEdit)
- Certain plugins that rely on XML-RPC
Most modern alternatives use the REST API, so disabling is safe for 90%+ of users.
3 Methods to Disable XML-RPC in WordPress
Method 1: Using a Plugin (Easiest & Recommended)
Plugins offer one-click disabling with additional security benefits.
Recommended Plugin: Disable XML-RPC (Free & Simple)
- Install and activate Disable XML-RPC from Plugins > Add New.
- That’s it — the plugin immediately disables all XML-RPC requests.
- No configuration needed — it works instantly.
Alternative: All in One WP Security & Firewall (free) — Enable the XML-RPC disable option in settings.
Pros: Instant, reversible, adds extra security layers. Cons: Adds one more plugin (very lightweight).
Method 2: Disable via .htaccess (No Plugin – Most Reliable)
This Apache method completely blocks access to xmlrpc.php.
- Access your site via FTP or hosting file manager.
- Locate .htaccess in the root directory (backup first!).
- Add this code at the top:
text# Disable XML-RPC <Files xmlrpc.php> order deny,allow deny from all </Files>- Save and upload.
- Test: Try accessing yourdomain.com/xmlrpc.php — you should see a 403 Forbidden error.
Note: Works only on Apache servers. For NGINX, contact your host to add the equivalent rule.
Method 3: Disable via Code in functions.php (Custom & Lightweight)
Add this to your child theme’s functions.php or via WPCode plugin:
PHP
add_filter( 'xmlrpc_enabled', '__return_false' );This disables XML-RPC completely and safely without blocking the file.
Pros: No extra files/plugins. Cons: Requires child theme or snippet plugin.
How to Verify XML-RPC Is Disabled
- Visit yourdomain.com/xmlrpc.php — should return 403 or blank page.
- Use online tools like xmlrpcpingback.com or security scanners.
- Check server logs for blocked XML-RPC requests.
Additional Security Tips
- Combine with login attempt limiting (see our guide).
- Enable 2FA and strong passwords.
- Keep WordPress, themes, and plugins updated.
- Use a security plugin like Wordfence for monitoring.
Disabling XML-RPC is a quick win that reduces risk significantly.
Final Thoughts
XML-RPC is a legacy feature that no longer provides meaningful benefits for most users — disabling it is a smart security decision. Use a plugin for simplicity or .htaccess/code for maximum efficiency.
A more secure site is a faster, more trusted site.
Experiencing security concerns or need a full site hardening audit? Contact Cope Business for a free technical SEO consultation — we’ll secure your WordPress site and optimize it for performance and peace of mind.
