Do you want to disable XML-RPC in WordPress?
XML-RPC is a core WordPress API that allows users to connect to their WordPress website using third-party apps, tools, and services.
In this article, we’ll show you how to easily disable XML-RPC in WordPress.
What is XML-RPC in WordPress?
XML-RPC is one of the core WordPress APIs that allows apps to connect and interact with a WordPress website using XML and HTTPs protocol.
In short, it is a system that allows you to post on your WordPress blog using popular weblog clients like the WordPress mobile apps, Open Live Writer, or other remote blogging apps. It is also needed if you want to make connections to services like IFTTT.
If you want to access and publish your blog remotely, then you need XML-RPC enabled.
XML-RPC API is safe and enabled by default on all WordPress websites. However, some WordPress security experts may advise you to disable it.
Disabling it will basically close one more door that a potential hacker may try to exploit to hack your website.
That being said, let’s take a look at how to easily disbale XML-RPC API in WordPress.
Method 1. Disable XML-RPC in WordPress by Using a Plugin
This method is easier and recommended for all WordPress users.
The plugin works out of the box and there are no settings for you to configure.
Simply activating the plugin will deactivate XML-RPC on your WordPress website.
Method 2. Manually Disable XML-RPC in WordPress
This method requires you to add some code to your WordPress website. If you haven’t done this before then take a look at our guide on how to copy and paste custom code snippets in WordPress.
Basically, WordPress core provides a filter to manually add to your website and disable the XML-RPC API.
Now you can save your changes and WordPress will deactivate the XML-RPC API.
Method 3. How to Disable WordPress XML-RPC with .htaccess
While the above solution is sufficient for many, it can still be resource intensive for sites that are getting attacked.
In those cases, you may want to disable all xmlrpc.php requests from the .htaccess file before the request is even passed onto WordPress.
Simply paste the following code in your .htaccess file:
# Block WordPress xmlrpc.php requests <Files xmlrpc.php> order deny,allow deny from all </Files>
In the above line we have denied access to the XML-RPC file for everyone.
However, what if you needed to give access to a particular app, yourself, or some other user? In that case, you’ll need to know the IP address they are using.
After that you can replace the above code with the following.
# Block WordPress xmlrpc.php requests <Files xmlrpc.php> order deny,allow deny from all allow from 18.104.22.168 </Files>
Don’t forget to replace 22.214.171.124 with the IP address that you want to allow.
Testing XML-RPC Functionality in WordPress
Next, you can test if you have successfully disabled the XML-RPC functionality on your WordPress website.
The easiest way to do that is by installing the WordPress Mobile App on your phone. It is available for both iPhone and Android devices.
After installing the app, open it on your phone, and then tap on the Enter your existing site address button.
On the next screen, you’ll be asked to provide your website address. Enter your website address and tap on the continue button.
After that, you will be asked to enter your login details. Here you need to provide the same username and password that you use to sign in on your website.
You should now see the error message that XML-RPC services are disabled on this site.
We hope this article helped you learn how to easily disable XML-RPC in WordPress. You may also want to see our list of the important things you need to do after installing WordPress.