WPBeginner

Beginner's Guide for WordPress

  • Blog
    • Beginners Guide
    • News
    • Opinion
    • Showcase
    • Themes
    • Tutorials
    • WordPress Plugins
  • Start Here
    • How to Start a Blog
    • Create a Website
    • Start an Online Store
    • Best Website Builder
    • Email Marketing
    • WordPress Hosting
    • Business Name Ideas
  • Deals
    • Bluehost Coupon
    • SiteGround Coupon
    • WP Engine Coupon
    • HostGator Coupon
    • Domain.com Coupon
    • Constant Contact
    • View All Deals »
  • Glossary
  • Videos
  • Products
X
☰
Beginner's Guide for WordPress / Start your WordPress Blog in minutes
Choosing the Best
WordPress Hosting
How to Easily
Install WordPress
Recommended
WordPress Plugins
View all Guides

WPBeginner» Blog» Plugins» How to Disable XML-RPC in WordPress

How to Disable XML-RPC in WordPress

Last updated on September 28th, 2015 by Editorial Staff
117 Shares
Share
Tweet
Share
Pin
Free WordPress Video Tutorials on YouTube by WPBeginner
How to Disable XML-RPC in WordPress

XML-RPC service was disabled by default for the longest time mainly due to security reasons. In WordPress 3.5, this is about to change. XML-RPC will be enabled by default, and the ability to turn it off from your WordPress dashboard is going away. In this article, we will show you how to disable XML-RPC in WordPress and talk further about the decision of having it enabled by default.

What is XML-RPC?

According to Wikipedia, XML-RPC is a remote procedure call which uses XML to encode its calls and HTTP as a transport mechanism. In short, it is a system that allows you to post on your WordPress blog using popular weblog clients like Windows Live Writer. It is also needed if you are using the WordPress mobile app. It is also needed if you want to make connections to services like IFTTT.

If you want to access and publish to your blog remotely, then you need XML-RPC enabled.

In the past, there were security concerns with XML-RPC thus it was disabled by default. In his comment on trac ticket #21509, @nacin one of the core contributors of WordPress said:

Quite a bit has changed since we introduced off-by-default for XML-RPC. Their code has improved, and it is no longer considered a second-class citizen when it comes to API development, thanks to the work of a large team of awesome contributors. Security is no greater a concern than the rest of core.

There is no longer a compelling reason to disable this by default. It’s time we should remove the option entirely.

With the increasing use of mobile, this change was imminent. However some security cautious folks may say that while the XML-RPC’s security is not that big of an issue, it still provides an additional surface for attack if a vulnerability was ever found. Thus, keeping it disabled would make more sense.

To keep everyone happy, while the user interface option and the database option to turn off XML-RPC has been removed, there is a filter that you can use to turn it off if needed.

How to Disable XML-RPC in WordPress 3.5

All you have to do is paste the following code in a site-specific plugin:

add_filter('xmlrpc_enabled', '__return_false');

Alternatively, you can just install the plugin called Disable XML-RPC. All you have to do is activate it. It does the exact same thing as the code above.

How to Disable WordPress XML-RPC with .htaccess

While the above solution is sufficient for many, it can still be resource intensive for sites that are getting attacked.

In those cases, you may want to disable all xmlrpc.php requests from the .htaccess file before the request is even passed onto WordPress.

Simply paste the following code in your .htaccess file:

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from 123.123.123.123
</Files>

Because we do not use any mobile app or remote connections to publish on WPBeginner, we will be disabling XML-RPC by default. What are your thoughts on the issue?

117 Shares
Share
Tweet
Share
Pin
Popular on WPBeginner Right Now!
  • Google Analytics in WordPress

    How to Install Google Analytics in WordPress for Beginners

  • Checklist

    Checklist: 15 Things You MUST DO Before Changing WordPress Themes

  • How to Properly Move Your Blog from WordPress.com to WordPress.org

  • How to Fix the Error Establishing a Database Connection in WordPress

    How to Fix the Error Establishing a Database Connection in WordPress

About the Editorial Staff

Editorial Staff at WPBeginner is a team of WordPress experts led by Syed Balkhi. Trusted by over 1.3 million readers worldwide.

The Ultimate WordPress Toolkit

44 Comments

Leave a Reply
  1. Christine says:
    Feb 23, 2021 at 9:36 am

    Is there a difference between disabling and blocking?

    Reply
    • WPBeginner Support says:
      Feb 24, 2021 at 9:07 am

      Blocking would attempt to limit access to the feature while disabling would turn it off completely. If you disable it you wouldn’t need to worry about someone accessing it through a different method.

      Reply
  2. Rashmi K says:
    Nov 21, 2020 at 2:22 am

    The recomnended plugin Disable XML-RPC has not been updated since last 2 years. It says the plugin has not been tested with the last 3 releases of wordpress.

    Reply
    • WPBeginner Support says:
      Nov 23, 2020 at 11:43 am

      For our stance on the not tested warning, you would want to take a look at our article below:

      https://www.wpbeginner.com/opinion/should-you-install-plugins-not-tested-with-your-wordpress-version/

      Reply
  3. Nikhil says:
    Oct 10, 2020 at 12:55 am

    Hi,

    Will disabling the xmlrpc.php access also disable the access to wordpress apis used for android/ios app development?

    Reply
    • WPBeginner Support says:
      Oct 12, 2020 at 10:27 am

      That would depend on the API being used by the apps themselves.

      Reply
  4. Vyom says:
    May 31, 2020 at 12:28 am

    Found the solution:
    Adding following information in nginx config:
    # nginx block xmlrpc.php requests
    location /xmlrpc.php {
    deny all;
    }

    Reply
  5. Vyom says:
    May 24, 2020 at 12:19 pm

    I use nginx instead of Apache. Can I still use .htaccess on my site?
    And do I need to store this file in public_html directory, or one level above it?

    Reply
    • WPBeginner Support says:
      May 27, 2020 at 8:40 am

      If you’re using nginx then you would not be able to use htaccess

      Reply
      • Vyom says:
        May 27, 2020 at 11:31 pm

        Thanks for the reply. So is there an alternative for nginx?

        Reply
        • WPBeginner Support says:
          May 28, 2020 at 8:47 am

          You would add the site-specific plugin or the plugin from earlier in the article.

  6. Chinecherem Somto says:
    Mar 30, 2019 at 6:41 pm

    hi, is it on the .htaccess file on the website root that i will paste the code?

    Reply
    • WPBeginner Support says:
      Apr 1, 2019 at 1:14 pm

      Yes, the .htaccess in your site’s root folder is where you would add the .htaccess code :)

      Reply
  7. Mojtaba Rezaeian says:
    Dec 19, 2018 at 6:16 pm

    Thank you author.

    Reply
    • WPBeginner Support says:
      Dec 20, 2018 at 9:59 am

      You are welcome Mojtaba :)

      Reply
  8. Bapi says:
    Nov 25, 2017 at 12:32 am

    How to use multiple ip or a ip range like 123.123.123.1, 2, 3, …… 100,101

    Reply
  9. malcolm says:
    Apr 27, 2017 at 2:38 pm

    why would we allow 123.123.123.123 ?

    If we aren’t using the service at all, why not let “deny all” be absolute?

    Reply
    • Edward says:
      May 25, 2017 at 10:26 pm

      If i’m reading the code correctly;
      order deny,allow – puts deny before allow, since deny is ‘all’ then allow isn’t processed
      deny from all – does what it says
      allow from 123.123.123.123 – is a place holder

      I gather that if you have a fixed IP address you could change order to “allow,deny” and replace 123.123.123.123 with your IP address. That would allow your IP then deny all others.

      Reply
  10. David Hoy says:
    Apr 3, 2017 at 5:13 pm

    Thanks WP-Beginner, I’m trying to be baddest WP boy in my neighbourhood and this is exactly why I keep coming back to you guys, each question I have you say; here is the easy way, and here is the RIGHT way :-)

    Me an my .htaccess are going to have a little chat about htpasswrd and this here XMLRPC thingy my clients will never need.

    You all just made my corner of the net a little bit safer, as MailChimp would say: High Fives!

    Reply
    • WPBeginner Support says:
      Apr 4, 2017 at 4:15 am

      Hey David,

      Thanks for the kind words. We are glad you find WPBeginner helpful :)

      Reply
  11. Cezar says:
    Oct 4, 2016 at 7:22 am

    Ok, i will use this code but i want IFTTT to have work on my website what i need to add?

    # Block WordPress xmlrpc.php requests

    order deny,allow
    deny from all
    allow from 123.123.123.123

    Reply
  12. PhilB says:
    Aug 31, 2016 at 9:32 am

    Hi,

    I have followed the instructions to block the xmlrpc.php file using .htaccess but im not sure if it is working.

    Im using wordfence security and in the live traffic view i can see the requests for the xmlrpc.php file have stopped, but if i check my access logs

    tail -f /apache2/logs/access_log

    I can still see the requests coming in, but the code at the end has changed from 500 to 403. Im concerned im getting a false report from my WordFence plugin and that im still being flooded with spam. Can anyone advise?

    Thanks,

    PhilB

    Reply
    • David Hoy says:
      Apr 3, 2017 at 5:09 pm

      Oh yeah! Thats working perfectly, your XMLRPC is FORBIDDEN!

      HTTP Status Code 403: The server understood the request but refuses to authorize it.

      Reply
  13. Raymundo says:
    Aug 10, 2016 at 3:45 am

    I got a weird problem…

    I’m using my wordpress blogs with IFTTT and all worked fine, until I integrated it with MaxCDN; IFTTT immediately stopped working. I did some research and the problem might be related to XML-RPC that was de-activated.

    When I check my dashbord in “Settings” > “Writing” , I don’t see anything like XML-RPC, Remote Publishing, etc. I’ve checked database in options, also xml-rpc not available / missing.

    I need to activate XML-RPC to keep my IFTTT working.

    How do I re-activate XML-RPC; all I need is a script that I can add in .htaccess or functions.php to activate XML-RPC.

    And why am I missing the XML-RPC funtionality in my dashboard.

    Thank You!

    Reply
  14. Muhammad Ammar Ashfaq says:
    Jun 24, 2016 at 8:26 am

    I was searching for how to add this file xmlprc.php to my wordpress i am using 4.5.3 version and i came to this page. I need to add this php file because when i enable jetpack i got error of site_inaccessible. Please tell me hot to resolve this error my site is

    Reply
    • WPBeginner Support says:
      Jun 24, 2016 at 9:52 pm

      Connect to your WordPress site using FTP client or File Manager in cPanel. In your website’s root directory look for xmlrpc.php file. If it is there, then try step 2. If it isn’t then download a fresh copy of WordPress. Unzip and extract it and upload xmlrpc.php file back to your site’s root directory.

      Step 2: Check your WordPress theme’s functions file for the code that disables XML-RPC.

      Step 3: Check your .htaccess and wp-config files.

      Reply
  15. omonaija says:
    Jun 22, 2016 at 2:53 pm

    Please,what can i do to enable xmlrpc on my site?because i can’t login using wordpess mobile app on my smartphone..

    Reply
    • WPBeginner Support says:
      Jun 22, 2016 at 10:25 pm

      If you are using a security plugin on your WordPress site, then check its settings.

      Reply
  16. Mook says:
    Apr 19, 2016 at 9:43 pm

    Booyah! This WP filter fixed the script kiddie attack. I still firewalled the person, but I don’t have to watch the logs like a hawk to add more IPs to the firewall. THANK YOU.

    Reply
    • WPBeginner Support says:
      Apr 20, 2016 at 1:07 pm

      That’s why we use Sucuri.

      Reply
      • Alex says:
        Apr 22, 2016 at 1:00 pm

        Is that because Sucuri acts like the Disable XMLRPC plugin?

        If so I can remove my Disable XMLRPC plugin,

        Thanks

        Alex

        Reply
        • WPBeginner Support says:
          Apr 24, 2016 at 3:52 pm

          Sucuri acts like a firewall between your site and users. It blocks any suspicious activity before it could reach your website.

  17. Chad says:
    Mar 20, 2016 at 5:18 pm

    I’m totally onboard for disabling xmlrpc.php server wide in my /etc/httpd/conf/includes/pre_main_global.conf file. But I am left with this questions…is there a way to determine that a particular plugin “NEEDS” xmlrpc.php in order to work? I have concerns with blocking access to it and then having an issue 2 months down the road and not know that the issue is with the fact that I blocked xmlrpc.php previously.

    Are there any common signs to look for in a log file or such which would point to a xmlrpc.php block as the cause?

    Reply
  18. Soumitra says:
    Feb 12, 2016 at 4:30 am

    Hi, I just installed the plugin , Disable XML-RPC

    Lets see!

    Reply
  19. Phranq says:
    Jan 31, 2016 at 8:20 pm

    Hey am using WordPress app to post with my android smartphone. Now I can’t login and my login credentials are correct. The response I got was ” we can’t log you in couldn’t connect to the WordPress site”.Could you help me fix this WordPress app login error.

    Reply
    • WPBeginner Support says:
      Feb 1, 2016 at 12:04 pm

      If you had disabled XML RPC then you may not be able to login using WordPress mobile app. Look in your theme’s functions.php file for this code

      add_filter('xmlrpc_enabled', '__return_false');

      If it is there, then you need to remove it. You can also try deactivating plugins and turning them on one by one until you find the plugin that is stopping you from login using WordPress mobile app.

      Reply
  20. Josiah says:
    Dec 18, 2015 at 8:01 am

    It’s worth noting, that “allow from 123.123.123.123” is optional, and if used should be updated to include your IP, or the IP of the device that needs access to xmlrpc.php (it would be good to cite examples in this article).

    Reply
  21. Natalie says:
    Dec 10, 2015 at 4:56 pm

    I am using GoodbyeCaptcha plugin to turn off the XML-RPC and works with no problem while Jetpack is activated.
    Hope it helps

    Reply
  22. ATI says:
    Nov 28, 2015 at 9:34 pm

    Sorry, I’ve tried this method many times. It didn’t work for me – in fact it brought the front end down (blocking visitors read access to the web page) after adding these codes to the .htaccess file.

    Reply
  23. Gretchen Louise says:
    Aug 3, 2013 at 11:48 pm

    Does disabling it this way prevent this issue? http://theaffluentblogger.com/operating-a-website/wordpress-xmlrpc-php-vulnerability-affects-shared-hosting-sites/ I have a friend whose site is continually crashing because of her xmlrpc file being attacked.

    Reply
    • Editorial Staff says:
      Aug 26, 2013 at 1:32 pm

      Yes it will prevent the attack to an extent.

      Reply
  24. Christopher Ross says:
    Nov 17, 2012 at 10:03 am

    Keith, there’s a trend in WordPress to move non-theme related functions out of the functions.php file and into a “site specific plugin”, basically a plugin that you only activate on one unique website and it stores the non-theme related functions for that site.

    You can accomplish the same thing by placing the code in your functions.php file.

    Reply
    • Keith Davis says:
      Nov 18, 2012 at 5:51 am

      Thanks Chris
      Looks like you guys have already covered it.
      https://www.wpbeginner.com/beginners-guide/what-why-and-how-tos-of-creating-a-site-specific-wordpress-plugin/

      BTW – what’s happened to your comments system?
      Was Livefyre then something related to twitter and facebook and now ?

      Reply
  25. Keith Davis says:
    Nov 17, 2012 at 9:46 am

    Hi Guys
    Sorry to be a bit thick but could you expand on… “All you have to do is paste the following code in a site-specific plugin:”

    Which plugins are site specific?

    Reply

Leave a Reply Cancel reply

Thanks for choosing to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and your email address will NOT be published. Please Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.

Over 1,320,000+ Readers

Get fresh content from WPBeginner

Featured WordPress Plugin
OptinMonster
OptinMonster
Convert website visitors into email subscribers. Learn More »
How to Start a Blog How to Start a Blog
I need help with ...
Starting a
Blog
WordPress
Performance
WordPress
Security
WordPress
SEO
WordPress
Errors
Building an
Online Store
Useful WordPress Guides
    • 7 Best WordPress Backup Plugins Compared (Pros and Cons)
    • How to Fix the Error Establishing a Database Connection in WordPress
    • Why You Need a CDN for your WordPress Blog? [Infographic]
    • 30 Legit Ways to Make Money Online Blogging with WordPress
    • Self Hosted WordPress.org vs. Free WordPress.com [Infograph]
    • Free Recording: WordPress Workshop for Beginners
    • 24 Must Have WordPress Plugins for Business Websites
    • How to Properly Move Your Blog from WordPress.com to WordPress.org
    • 5 Best Contact Form Plugins for WordPress Compared
    • Which is the Best WordPress Popup Plugin? (Comparison)
    • Best WooCommerce Hosting in 2021 (Comparison)
    • How to Fix the Internal Server Error in WordPress
    • How to Install WordPress - Complete WordPress Installation Tutorial
    • Why You Should Start Building an Email List Right Away
    • How to Properly Move WordPress to a New Domain Without Losing SEO
    • How to Choose the Best WordPress Hosting for Your Website
    • How to Choose the Best Blogging Platform (Comparison)
    • WordPress Tutorials - 200+ Step by Step WordPress Tutorials
    • 5 Best WordPress Ecommerce Plugins Compared
    • 5 Best WordPress Membership Plugins (Compared)
    • 7 Best Email Marketing Services for Small Business (2021)
    • How to Choose the Best Domain Registrar (Compared)
    • The Truth About Shared WordPress Web Hosting
    • When Do You Really Need Managed WordPress Hosting?
    • 5 Best Drag and Drop WordPress Page Builders Compared
    • How to Switch from Blogger to WordPress without Losing Google Rankings
    • How to Properly Switch From Wix to WordPress (Step by Step)
    • How to Properly Move from Weebly to WordPress (Step by Step)
    • Do You Really Need a VPS? Best WordPress VPS Hosting Compared
    • How to Properly Move from Squarespace to WordPress
    • How to Register a Domain Name (+ tip to get it for FREE)
    • HostGator Review - An Honest Look at Speed & Uptime (2021)
    • SiteGround Reviews from 4464 Users & Our Experts (2021)
    • Bluehost Review from Real Users + Performance Stats (2021)
    • How Much Does It Really Cost to Build a WordPress Website?
    • How to Create an Email Newsletter the RIGHT WAY (Step by Step)
    • Free Business Name Generator (A.I Powered)
    • How to Create a Free Business Email Address in 5 Minutes (Step by Step)
    • How to Install Google Analytics in WordPress for Beginners
    • How to Move WordPress to a New Host or Server With No Downtime
    • Why is WordPress Free? What are the Costs? What is the Catch?
    • How to Make a Website in 2021 – Step by Step Guide
Deals & Coupons (view all)
SendinBlue Coupon Code
Sendinblue Coupon
Get Sendinblue, a powerful marketing automation toolkit for small businesses, for FREE.
InMotion Hosting
InMotion Hosting Coupon
Get an exclusive 50% off InMotion hosting plus a free domain.
Featured In
About WPBeginner®

WPBeginner is a free WordPress resource site for Beginners. WPBeginner was founded in July 2009 by Syed Balkhi. The main goal of this site is to provide quality tips, tricks, hacks, and other WordPress resources that allows WordPress beginners to improve their site(s).

Join our team: We are Hiring!

Site Links
  • About Us
  • Contact Us
  • FTC Disclosure
  • Privacy Policy
  • Terms of Service
  • Free Blog Setup
  • Free Business Tools
  • Growth Fund
Our Sites
  • OptinMonster
  • MonsterInsights
  • WPForms
  • SeedProd
  • Nameboy
  • RafflePress
  • Smash Balloon
  • AIOSEO

Copyright © 2009 - 2021 WPBeginner LLC. All Rights Reserved. WPBeginner® is a registered trademark.

Managed by Awesome Motive | WordPress hosting by SiteGround | WordPress Security by Sucuri.