Beginner's Guide for WordPress - Start your WordPress Blog in minutes.
Choosing the Best
WordPress Hosting
How to Easily
Install WordPress
WordPress Plugins
View all Guides

How to Disable XML-RPC in WordPress

Last updated on by
Special WordPress Hosting offer for WPBeginner Readers
How to Disable XML-RPC in WordPress

XML-RPC service was disabled by default for the longest time mainly due to security reasons. In WordPress 3.5, this is about to change. XML-RPC will be enabled by default, and the ability to turn it off from your WordPress dashboard is going away. In this article, we will show you how to disable XML-RPC in WordPress and talk further about the decision of having it enabled by default.

What is XML-RPC?

According to Wikipedia, XML-RPC is a remote procedure call which uses XML to encode its calls and HTTP as a transport mechanism. In short, it is a system that allows you to post on your WordPress blog using popular weblog clients like Windows Live Writer. It is also needed if you are using the WordPress mobile app. It is also needed if you want to make connections to services like IFTTT.

If you want to access and publish to your blog remotely, then you need XML-RPC enabled.

In the past, there were security concerns with XML-RPC thus it was disabled by default. In his comment on trac ticket #21509, @nacin one of the core contributors of WordPress said:

Quite a bit has changed since we introduced off-by-default for XML-RPC. Their code has improved, and it is no longer considered a second-class citizen when it comes to API development, thanks to the work of a large team of awesome contributors. Security is no greater a concern than the rest of core.

There is no longer a compelling reason to disable this by default. It’s time we should remove the option entirely.

With the increasing use of mobile, this change was imminent. However some security cautious folks may say that while the XML-RPC’s security is not that big of an issue, it still provides an additional surface for attack if a vulnerability was ever found. Thus, keeping it disabled would make more sense.

To keep everyone happy, while the user interface option and the database option to turn off XML-RPC has been removed, there is a filter that you can use to turn it off if needed.

How to Disable XML-RPC in WordPress 3.5

All you have to do is paste the following code in a site-specific plugin:

add_filter('xmlrpc_enabled', '__return_false');

Alternatively, you can just install the plugin called Disable XML-RPC. All you have to do is activate it. It does the exact same thing as the code above.

How to Disable WordPress XML-RPC with .htaccess

While the above solution is sufficient for many, it can still be resource intensive for sites that are getting attacked.

In those cases, you may want to disable all xmlrpc.php requests from the .htaccess file before the request is even passed onto WordPress.

Simply paste the following code in your .htaccess file:

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from

Because we do not use any mobile app or remote connections to publish on WPBeginner, we will be disabling XML-RPC by default. What are your thoughts on the issue?

Editorial Staff at WPBeginner is a team of WordPress experts led by Syed Balkhi. Page maintained by Syed Balkhi.

WPBeginner's Video Icon
Our HD-Quality tutorial videos for WordPress Beginners will teach you how to use WordPress to create and manage your own website in about an hour. Get started now »


  1. Cezar says:

    Ok, i will use this code but i want IFTTT to have work on my website what i need to add?

    # Block WordPress xmlrpc.php requests

    order deny,allow
    deny from all
    allow from

  2. PhilB says:


    I have followed the instructions to block the xmlrpc.php file using .htaccess but im not sure if it is working.

    Im using wordfence security and in the live traffic view i can see the requests for the xmlrpc.php file have stopped, but if i check my access logs

    tail -f /apache2/logs/access_log

    I can still see the requests coming in, but the code at the end has changed from 500 to 403. Im concerned im getting a false report from my WordFence plugin and that im still being flooded with spam. Can anyone advise?



  3. Raymundo says:

    I got a weird problem…

    I’m using my wordpress blogs with IFTTT and all worked fine, until I integrated it with MaxCDN; IFTTT immediately stopped working. I did some research and the problem might be related to XML-RPC that was de-activated.

    When I check my dashbord in “Settings” > “Writing” , I don’t see anything like XML-RPC, Remote Publishing, etc. I’ve checked database in options, also xml-rpc not available / missing.

    I need to activate XML-RPC to keep my IFTTT working.

    How do I re-activate XML-RPC; all I need is a script that I can add in .htaccess or functions.php to activate XML-RPC.

    And why am I missing the XML-RPC funtionality in my dashboard.

    Thank You!

  4. Muhammad Ammar Ashfaq says:

    I was searching for how to add this file xmlprc.php to my wordpress i am using 4.5.3 version and i came to this page. I need to add this php file because when i enable jetpack i got error of site_inaccessible. Please tell me hot to resolve this error my site is

    • WPBeginner Support says:

      Connect to your WordPress site using FTP client or File Manager in cPanel. In your website’s root directory look for xmlrpc.php file. If it is there, then try step 2. If it isn’t then download a fresh copy of WordPress. Unzip and extract it and upload xmlrpc.php file back to your site’s root directory.

      Step 2: Check your WordPress theme’s functions file for the code that disables XML-RPC.

      Step 3: Check your .htaccess and wp-config files.

  5. omonaija says:

    Please,what can i do to enable xmlrpc on my site?because i can’t login using wordpess mobile app on my smartphone..

  6. Mook says:

    Booyah! This WP filter fixed the script kiddie attack. I still firewalled the person, but I don’t have to watch the logs like a hawk to add more IPs to the firewall. THANK YOU.

  7. Chad says:

    I’m totally onboard for disabling xmlrpc.php server wide in my /etc/httpd/conf/includes/pre_main_global.conf file. But I am left with this questions…is there a way to determine that a particular plugin “NEEDS” xmlrpc.php in order to work? I have concerns with blocking access to it and then having an issue 2 months down the road and not know that the issue is with the fact that I blocked xmlrpc.php previously.

    Are there any common signs to look for in a log file or such which would point to a xmlrpc.php block as the cause?

  8. Soumitra says:

    Hi, I just installed the plugin , Disable XML-RPC

    Lets see!

  9. Phranq says:

    Hey am using WordPress app to post with my android smartphone. Now I can’t login and my login credentials are correct. The response I got was ” we can’t log you in couldn’t connect to the WordPress site”.Could you help me fix this WordPress app login error.

    • WPBeginner Support says:

      If you had disabled XML RPC then you may not be able to login using WordPress mobile app. Look in your theme’s functions.php file for this code

      add_filter('xmlrpc_enabled', '__return_false');

      If it is there, then you need to remove it. You can also try deactivating plugins and turning them on one by one until you find the plugin that is stopping you from login using WordPress mobile app.

  10. Josiah says:

    It’s worth noting, that “allow from” is optional, and if used should be updated to include your IP, or the IP of the device that needs access to xmlrpc.php (it would be good to cite examples in this article).

  11. Natalie says:

    I am using GoodbyeCaptcha plugin to turn off the XML-RPC and works with no problem while Jetpack is activated.
    Hope it helps

  12. ATI says:

    Sorry, I’ve tried this method many times. It didn’t work for me – in fact it brought the front end down (blocking visitors read access to the web page) after adding these codes to the .htaccess file.

  13. Gretchen Louise says:

    Does disabling it this way prevent this issue? I have a friend whose site is continually crashing because of her xmlrpc file being attacked.

  14. Christopher Ross says:

    Keith, there’s a trend in WordPress to move non-theme related functions out of the functions.php file and into a “site specific plugin”, basically a plugin that you only activate on one unique website and it stores the non-theme related functions for that site.

    You can accomplish the same thing by placing the code in your functions.php file.

  15. Keith Davis says:

    Hi Guys
    Sorry to be a bit thick but could you expand on… “All you have to do is paste the following code in a site-specific plugin:”

    Which plugins are site specific?

Add a Comment

We're glad you have chosen to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and all links are nofollow. Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.