Do you want to disable XML-RPC on your WordPress site?
XML-RPC is a core WordPress API that allows users to connect to their WordPress website using third-party apps, tools, and services. Unfortunately, in the past hackers have found ways to exploit XML-RPC to gain access to WordPress websites.
In this article, we’ll show you how to easily disable XML-RPC in WordPress.
What Is XML-RPC in WordPress?
XML-RPC is a core WordPress API that has been enabled by default since WordPress 3.5 was released in 2012. It allows developers to use XML and HTTPS protocols to connect to and interact with your WordPress website.
In short, you need XML-RPC enabled to access and publish your blog remotely, such as when you want to use a mobile app to manage your site or make connections to automation services such as Uncanny Automator or Zapier.
However, if you’re not using mobile apps with your website, then some WordPress security experts may advise you to disable XML-RPC. This closes a door that may potentially be exploited to hack your website.
That being said, let’s take a look at how to easily disable the XML-RPC API in WordPress. The
.htaccess method is best because it’s the least resource intensive, and the other methods are easier for beginners.
Method 1: Disable WordPress XML-RPC With .htaccess (Advanced)
This method is for advanced users because it requires you to edit your site’s .htaccess file. We recommend that beginners use Method 2 or 3.
This way has several advantages, such as the ability to give remote access to yourself and your team while restricting everyone else. It also won’t negatively affect your WordPress performance, since it disables XML-RPC requests before they are passed on to WordPress.
You will need to add the following code to your
.htaccess file. You can do this by connecting to your site using an FTP client or file manager. Also, All in One SEO users can use the plugin’s built-in editor tool to add the code snippet, as you can see in the screenshot below.
# Block WordPress xmlrpc.php requests <Files xmlrpc.php> order deny,allow deny from all allow from 188.8.131.52 </Files>
If you wish to give a certain user remote access to your site, then simply replace ‘184.108.40.206’ on line 5 with their IP address. You can add multiple IP addresses by separating them with spaces.
Or, if you want to disable XML-RPC completely, then delete line 5 altogether.
Note: If you can’t locate .htaccess, then see our guide on why you can’t find .htaccess in WordPress.
Method 2: Disable WordPress XML-RPC With a Code Snippet (Recommended)
This method requires you to add some code to your WordPress website. If you haven’t done this before then take a look at our guide on how to copy and paste custom code snippets in WordPress.
WPCode is the easiest and safest way to add code to your WordPress site. It helps you to manage your code snippets and prevents any errors from breaking your site.
In this method, we will use one of WPCode’s built-in code snippets to disable XML-RPC.
Upon activation, head over to Code Snippets » Add Snippet. The WPCode library already contains a snippet that disables XML-RPC. You can find it by searching for ‘xml.’
Once you find it, you need to click the ‘Use snippet’ button.
Next, you need to switch the ‘Active’ toggle to the ‘On’ position.
Finally, make sure you click the ‘Update’ button to enable the snippet on your site and disable XML-RPC API.
Method 3: Disable WordPress XML-RPC With a Plugin
This is a simple method that can be used if you don’t want to add any other customizations to your website with a code snippet plugin
The plugin works out of the box and will immediately deactivate XML-RPC.
You can navigate to XML-RPC Security » XML-RPC Settings to configure the plugin. For example, you can allow certain users to access XML-RPC by whitelisting their IP addresses.
Testing That WordPress XML-RPC Is Disabled
Now you should check to make sure you successfully disabled the XML-RPC API on your WordPress website.
You can also check that XML-RPC is disabled by simply visiting the URL
http://example.com/xmlrpc.php in your browser. Make sure you replace ‘example.com’ with your own website’s domain name.
If XML-RPC is disabled, you should see the error message: ‘Forbidden: You don’t have permission to access this resource.’
We hope this article helped you learn how to easily disable XML-RPC in WordPress. You may also want to learn how to install Google analytics in WordPress, or check out our list of live chat software for small business.