Beginner's Guide for WordPress - Start your WordPress Blog in minutes.
Choosing the Best
WordPress Hosting
How to Easily
Install WordPress
Recommended
WordPress Plugins
View all Guides

How to Disable XML-RPC in WordPress

Last updated on by
Follow WPBeginner on YouTube
How to Disable XML-RPC in WordPress

XML-RPC service was disabled by default for the longest time mainly due to security reasons. In WordPress 3.5, this is about to change. XML-RPC will be enabled by default, and the ability to turn it off from your WordPress dashboard is going away. In this article, we will show you how to disable XML-RPC in WordPress and talk further about the decision of having it enabled by default.

What is XML-RPC?

According to Wikipedia, XML-RPC is a remote procedure call which uses XML to encode its calls and HTTP as a transport mechanism. In short, it is a system that allows you to post on your WordPress blog using popular weblog clients like Windows Live Writer. It is also needed if you are using the WordPress mobile app. It is also needed if you want to make connections to services like IFTTT.

If you want to access and publish to your blog remotely, then you need XML-RPC enabled.

In the past, there were security concerns with XML-RPC thus it was disabled by default. In his comment on trac ticket #21509, @nacin one of the core contributors of WordPress said:

Quite a bit has changed since we introduced off-by-default for XML-RPC. Their code has improved, and it is no longer considered a second-class citizen when it comes to API development, thanks to the work of a large team of awesome contributors. Security is no greater a concern than the rest of core.

There is no longer a compelling reason to disable this by default. It’s time we should remove the option entirely.

With the increasing use of mobile, this change was imminent. However some security cautious folks may say that while the XML-RPC’s security is not that big of an issue, it still provides an additional surface for attack if a vulnerability was ever found. Thus, keeping it disabled would make more sense.

To keep everyone happy, while the user interface option and the database option to turn off XML-RPC has been removed, there is a filter that you can use to turn it off if needed.

How to Disable XML-RPC in WordPress 3.5

All you have to do is paste the following code in a site-specific plugin:

add_filter('xmlrpc_enabled', '__return_false');

Alternatively, you can just install the plugin called Disable XML-RPC. All you have to do is activate it. It does the exact same thing as the code above.

Because we do not use any mobile app or remote connections to publish on WPBeginner, we will be disabling XML-RPC by default. What are your thoughts on the issue?


Editorial Staff at WPBeginner is a team of WordPress lovers led by Syed Balkhi. Page maintained by Syed Balkhi.

WPBeginner's Video Icon
Our HD-Quality tutorial videos for WordPress Beginners will teach you how to use WordPress to create and manage your own website in about an hour. Get started now »
  • Gretchen Louise

    Does disabling it this way prevent this issue? http://theaffluentblogger.com/operating-a-website/wordpress-xmlrpc-php-vulnerability-affects-shared-hosting-sites/ I have a friend whose site is continually crashing because of her xmlrpc file being attacked.

    • http://www.wpbeginner.com Editorial Staff

      Yes it will prevent the attack to an extent.

  • Christopher Ross

    Keith, there’s a trend in WordPress to move non-theme related functions out of the functions.php file and into a “site specific plugin”, basically a plugin that you only activate on one unique website and it stores the non-theme related functions for that site.

    You can accomplish the same thing by placing the code in your functions.php file.

  • Keith Davis

    Hi Guys
    Sorry to be a bit thick but could you expand on… “All you have to do is paste the following code in a site-specific plugin:”

    Which plugins are site specific?