WPBeginner - WordPress Tutorials for Beginners

Beginner's Guide for WordPress / Start your WordPress Blog in minutes

How to Disable XML-RPC in WordPress (Secure Method)

Last updated on by Editorial Staff | Reader DisclosureDisclosure: Our content is reader-supported. This means if you click on some of our links, then we may earn a commission. See how WPBeginner is funded, why it matters, and how you can support us.

Shares 163 Share Facebook Messenger WhatsApp

Do you want to disable XML-RPC on your WordPress site?

XML-RPC is a core WordPress API that allows users to connect to their WordPress website using third-party apps, tools, and services.

In this article, we’ll show you how to easily disable XML-RPC in WordPress.

Easily disable XML-RPC in WordPress

What is XML-RPC in WordPress?

XML-RPC is one of the core WordPress APIs that allows apps to connect and interact with a WordPress website using XML and HTTPs protocols.

In short, it is a system that allows you to post on your WordPress blog using the WordPress mobile apps or other remote blogging apps. It is also needed if you want to make connections to automation services such as IFTTT or Zapier.

Basically, if you want to access and publish your blog remotely, then you need XML-RPC enabled. The API is safe and enabled by default on all WordPress websites.

However, some WordPress security experts may advise you to disable it.

Disabling it will basically close one more door that a potential hacker may try to exploit to hack your website.

That being said, let’s take a look at how to easily disable the XML-RPC API in WordPress.

Method 1. Disable XML-RPC in WordPress (with a Plugin

All you need to do is install and activate the Disable XML-RPC plugin. For more details, see our step-by-step guide on how to install a WordPress plugin.

The plugin works out of the box and there are no settings for you to configure.

Simply activating it will deactivate XML-RPC on your WordPress website.

Method 2. Disable XML-RPC in WordPress (with Code)

This method requires you to add some code to your WordPress website. If you haven’t done this before then take a look at our guide on how to copy and paste custom code snippets in WordPress.

Basically, WordPress core provides a filter to manually add to your website’s functions.php file to disable the XML-RPC API using the following code: 

add_filter('xmlrpc_enabled', '__return_false');

However, we don’t recommend directly editing your WordPress core files because it can break your site if not done correctly. We will be using WPCode to add this snippet because it’s easiest and safest way to add code to your WordPress site.

First, you need to install the free WPCode plugin. For step-by-step instructions, check out our step-by-step guide on how to install a WordPress plugin.

Upon activation, go to Code Snippets » Add Snippet and search for “xml.”

WPCode’s snippet library contains a way to disable XML-RPC, so all you need to do is click ‘Use snippet.”

Use WPCode Library to disable XML-RPC

Next, just switch the ‘Activate’ toggle on.

Be sure to click the ‘Update’ button to enable the snippet on your site and disable XML-RPC API.

Turn the WPCode snippet on by clicking Activate and pressing Update

Method 3. How to Disable WordPress XML-RPC with .htaccess

If you want want to allow remote access for you and your team while restricting everyone else, you can do so by disabling all XML-RPC requests before they are even passed on to WordPress.

Note that this is a more complex process, and we only recommend it for advanced users because you will need to edit your site’s .htaccess file.

The simplest and easiest way is to use All-in-One SEO Pro‘s built-in editor to add the code below. This can also be done by connecting to your site using an FTP client or through a file manager.

Use AIOSEO Pro to disable XML-RPC from htaccess

No matter the method, you just need to paste the following ito your .htaccess file:

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
 deny from all
allow from 123.123.123.123
</Files>

Note that you will need to know the IP address for anyone you want to allow remote access and replace 123.123.123.123 with it.

If you want to disable XML-RPC completely using .htaccess, simply remove allow from 123.123.123.123 from the file to completely block access.

Testing XML-RPC Functionality in WordPress

Next, you can test if you have successfully disabled the XML-RPC API on your WordPress website.

The simplest way to do that is by installing the WordPress Mobile App on your phone. It is available for iOS and Android.

After installing the app, open it on your phone, and then tap on the ‘Enter your existing site address’ button.

Connect your WordPress website

On the next screen, you’ll be asked to provide your website address. Enter your website address and tap on the continue button.

After that, you will be asked to enter your login details. Here you need to provide the same username and password that you use to sign in on your website.

XML RPC disabled successfully

You should now see the error message that XML-RPC services are disabled on this site.

We hope this article helped you learn how to easily disable XML-RPC in WordPress. You may also want to see our list of the important things you need to do after installing WordPress.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

Popular on WPBeginner Right Now!

Disclosure: Our content is reader-supported. This means if you click on some of our links, then we may earn a commission. See how WPBeginner is funded, why it matters, and how you can support us.

The Ultimate WordPress Toolkit

Get FREE access to our toolkit – a collection of WordPress related products and resources that every professional should have!

Download Now

Reader Interactions

45 CommentsLeave a Reply

  1. in htaccess, the line:
    allow from 123.123.123.123
    Looks like it wants to be edited with my IP address. But this is not stated anywhere —?

    Reply

    • Blocking would attempt to limit access to the feature while disabling would turn it off completely. If you disable it you wouldn’t need to worry about someone accessing it through a different method.

      Reply

      Admin

  3. The recomnended plugin Disable XML-RPC has not been updated since last 2 years. It says the plugin has not been tested with the last 3 releases of wordpress.

    Reply

  4. Hi,

    Will disabling the xmlrpc.php access also disable the access to wordpress apis used for android/ios app development?

    Reply

  5. Found the solution:
    Adding following information in nginx config:
    # nginx block xmlrpc.php requests
    location /xmlrpc.php {
    deny all;
    }

    Reply

  6. I use nginx instead of Apache. Can I still use .htaccess on my site?
    And do I need to store this file in public_html directory, or one level above it?

    Reply

    • Yes, the .htaccess in your site’s root folder is where you would add the .htaccess code :)

      Reply

      Admin

  10. why would we allow 123.123.123.123 ?

    If we aren’t using the service at all, why not let “deny all” be absolute?

    Reply

    • If i’m reading the code correctly;
      order deny,allow – puts deny before allow, since deny is ‘all’ then allow isn’t processed
      deny from all – does what it says
      allow from 123.123.123.123 – is a place holder

      I gather that if you have a fixed IP address you could change order to “allow,deny” and replace 123.123.123.123 with your IP address. That would allow your IP then deny all others.

      Reply

  11. Thanks WP-Beginner, I’m trying to be baddest WP boy in my neighbourhood and this is exactly why I keep coming back to you guys, each question I have you say; here is the easy way, and here is the RIGHT way :-)

    Me an my .htaccess are going to have a little chat about htpasswrd and this here XMLRPC thingy my clients will never need.

    You all just made my corner of the net a little bit safer, as MailChimp would say: High Fives!

    Reply

  12. Ok, i will use this code but i want IFTTT to have work on my website what i need to add?

    # Block WordPress xmlrpc.php requests

    order deny,allow
    deny from all
    allow from 123.123.123.123

    Reply

  13. Hi,

    I have followed the instructions to block the xmlrpc.php file using .htaccess but im not sure if it is working.

    Im using wordfence security and in the live traffic view i can see the requests for the xmlrpc.php file have stopped, but if i check my access logs

    tail -f /apache2/logs/access_log

    I can still see the requests coming in, but the code at the end has changed from 500 to 403. Im concerned im getting a false report from my WordFence plugin and that im still being flooded with spam. Can anyone advise?

    Thanks,

    PhilB

    Reply

    • Oh yeah! Thats working perfectly, your XMLRPC is FORBIDDEN!

      HTTP Status Code 403: The server understood the request but refuses to authorize it.

      Reply

  14. I got a weird problem…

    I’m using my wordpress blogs with IFTTT and all worked fine, until I integrated it with MaxCDN; IFTTT immediately stopped working. I did some research and the problem might be related to XML-RPC that was de-activated.

    When I check my dashbord in “Settings” > “Writing” , I don’t see anything like XML-RPC, Remote Publishing, etc. I’ve checked database in options, also xml-rpc not available / missing.

    I need to activate XML-RPC to keep my IFTTT working.

    How do I re-activate XML-RPC; all I need is a script that I can add in .htaccess or functions.php to activate XML-RPC.

    And why am I missing the XML-RPC funtionality in my dashboard.

    Thank You!

    Reply

  15. I was searching for how to add this file xmlprc.php to my wordpress i am using 4.5.3 version and i came to this page. I need to add this php file because when i enable jetpack i got error of site_inaccessible. Please tell me hot to resolve this error my site is

    Reply

    • Connect to your WordPress site using FTP client or File Manager in cPanel. In your website’s root directory look for xmlrpc.php file. If it is there, then try step 2. If it isn’t then download a fresh copy of WordPress. Unzip and extract it and upload xmlrpc.php file back to your site’s root directory.

      Step 2: Check your WordPress theme’s functions file for the code that disables XML-RPC.

      Step 3: Check your .htaccess and wp-config files.

      Reply

      Admin

  16. Please,what can i do to enable xmlrpc on my site?because i can’t login using wordpess mobile app on my smartphone..

    Reply

  17. Booyah! This WP filter fixed the script kiddie attack. I still firewalled the person, but I don’t have to watch the logs like a hawk to add more IPs to the firewall. THANK YOU.

    Reply

  18. I’m totally onboard for disabling xmlrpc.php server wide in my /etc/httpd/conf/includes/pre_main_global.conf file. But I am left with this questions…is there a way to determine that a particular plugin “NEEDS” xmlrpc.php in order to work? I have concerns with blocking access to it and then having an issue 2 months down the road and not know that the issue is with the fact that I blocked xmlrpc.php previously.

    Are there any common signs to look for in a log file or such which would point to a xmlrpc.php block as the cause?

    Reply

  20. Hey am using WordPress app to post with my android smartphone. Now I can’t login and my login credentials are correct. The response I got was ” we can’t log you in couldn’t connect to the WordPress site”.Could you help me fix this WordPress app login error.

    Reply

    • If you had disabled XML RPC then you may not be able to login using WordPress mobile app. Look in your theme’s functions.php file for this code 

      add_filter('xmlrpc_enabled', '__return_false');

      If it is there, then you need to remove it. You can also try deactivating plugins and turning them on one by one until you find the plugin that is stopping you from login using WordPress mobile app.

      Reply

      Admin

  21. It’s worth noting, that “allow from 123.123.123.123” is optional, and if used should be updated to include your IP, or the IP of the device that needs access to xmlrpc.php (it would be good to cite examples in this article).

    Reply

  22. I am using GoodbyeCaptcha plugin to turn off the XML-RPC and works with no problem while Jetpack is activated.
    Hope it helps

    Reply

  23. Sorry, I’ve tried this method many times. It didn’t work for me – in fact it brought the front end down (blocking visitors read access to the web page) after adding these codes to the .htaccess file.

    Reply

  25. Keith, there’s a trend in WordPress to move non-theme related functions out of the functions.php file and into a “site specific plugin”, basically a plugin that you only activate on one unique website and it stores the non-theme related functions for that site.

    You can accomplish the same thing by placing the code in your functions.php file.

    Reply

  26. Hi Guys
    Sorry to be a bit thick but could you expand on… “All you have to do is paste the following code in a site-specific plugin:”

    Which plugins are site specific?

    Reply

Leave A Reply

Thanks for choosing to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and your email address will NOT be published. Please Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.

Featured in

Copyright © 2009 - 2023 WPBeginner LLC. All Rights Reserved. WPBeginner® is a registered trademark.

Managed by Awesome Motive | WordPress hosting by SiteGround | WordPress Security by Sucuri.

I need help with…

Popular searches:

Starting a
Blog WordPress
SEO WordPress
Performance WordPress
Errors WordPress
Security Building an
Online Store