How to Disable XML-RPC in WordPress Manually & Plugins?

WordPress Disable XMLRPC

How to disable XMLRPC.php in WordPress - Xml Rpc WordPress Plugins

The XMLRPC.PHP is a system that authorizes remote updates to WordPress from various other applications. This post about WordPress Xmlrpc will help you understand why disabling WordPress XMLRPC is a good idea and 4 ways to disable xmlrpc in wordpress, manually & using plugins.

What is WordPress XMLRPC?

XMLRPC.php is a feature that allows remote connection to WordPress. This API offers developers of desktop apps and mobile apps an ability to communicate to your WordPress website. This API offers developers to write applications that empower you to do numerous things whenever you are logged in to WordPress through web interface including –

  •     Whenever you upload a new file such as an image for a post.
  •     Whenever you edit comments.
  •     Whenever you edit a post.
  •     Whenever you delete a post.
  •     Whenever you publish a post.
  •     Whenever you get a list of comments.

To have a better understanding of the xmlrpc.php file, it is imperative to be familiar with the following basics –

  • RPC is Remote Procedure Call – This helps you to call a procedure remotely from a workstation or a device.
  • XML (Extensible Markup Language) – This particular language is framed to store and transport data,  pretty much like HTTP.
  • HTTP (Hyper Text Transfer Protocol) – It is an application protocol that defines how the messages will be formatted and further transmitted over the World Wide Web. The protocol also determines the actions of both the web servers and browsers in response to the commands. In this case, with the help of HTTP, the data can be easily transferred from a remote device to a website.
  • PHP (Hypertext Pre-processor) – It is a scripting and programming language. This particular language mainly serves dynamic websites. It is used to strike a conversation between –
  • The user
  • The website
  • The databases

So, technically speaking, with xmlrpc.php file a remote procedure call gets facilitated. This is done using XML to encode the message and send it across HTTP. Using this, information can be exchanged between devices or computers.


Why you should disable XML-RPC in WordPress

Although it does sounds amazing to updating a website with a single command that is triggered remotely. but unfortunately, it also raises a big red flag , and that’s exactly what happened with the XML-RPC function in WordPress.

Initially, it was a good idea to include this functionality in wordpress, but soon it was realized that it may open a backdoor in wordpress for hackers, script bots or anyone trying to access your wordpress site to enter and abuse it. Before WordPress 3.5, this functionality was disabled by default but soon after nowadays wordpress xmlrps is turned on by default.

No doubt, this has become the most abused functionality on wordpress. It may result in loads of faulty requests from hackers, bots and scripts, all trying to hack into your WordPress site via an organised XML-RPC WordPress DDOS attack.

Common XML-RPC Attacks

In the past two years, following two attacks on XMLRPC have received immense coverage, let us discuss them in detail –

  • Brute force attacks via XML-RPC – You don’t need to worry if you have the expert guidance of WP hacked help because once the hacker has reached the login attempt limit, we simply block the hacker. As per the attack, the hacker tries to login to your WordPress website with the help of xmlrpc.php. Let us see, in detail below, how this is done and how you are going to take advantage of this while you are testing a website for potential WordPress vulnerabilities. With a single command, hackers can examine hundreds of different passwords. As a result, this enables them to bypass security tools which detect and blocks brute force attacks in wordpress. You can protect your website from hackers with our WordPress Security services.
  • DDoS via XML-RPC pingbacks – This cannot be termed as an effective type of DDoS and numerous anti-spam plugins were able to successfully discover this type of abuse. With this, hackers were using the pingback feature in WordPress for sending pingbacks to thousands of sites at once. This xmlrpc.php feature offers hackers with numerous IP addresses to send their DDoS attacks.

 BrutForce Attack

1 – When you open xmlrpc.php, you will see this located at –

http://<>/<wordpress directory>/xmlrpc.php

WordPress XML-RPC Attack

2- Now, open your proxy and you need to send the request again.

Xml Rpc WordPress

3- At this stage, you need to send a post request and make a list of all methods accessible to you. You might be wondering why? This is how you are going to be familiar with all the actions that are possible to make and use it for the attack.

To list all the methods, you need to send a post request with the post data mentioned below in the image, you will receive a feedback with all the methods available.


WordPress XML-RPC Vulnerability

Have a closer look at the following, if they are with you then we can move ahead with the attack


3- You need to send the following in the POST request in order to carry out brute force login. If you are aware of any other valid usernames, wp-scan can help you find valid usernames.


 brute force xmlrpc wordpress

4 – All you need to enter this into intruder and brute force away. It does not matter whether you have entered a correct password or wrong, you will end up having a correct response. This is where you will have to decide between the wrong and correct based on the size of the response. In case you are using intruder, the response on the correct login will be like the following –

 XML-RPC Vulnerability wordpress

What Can XML-RPC Be Used For

XMLRPC has its fair share of uses, let us discuss them –

  • Apply pingbacks and trackbacks – As per this method, blogs are being notified that you have linked to them. XMLRPC trackbacks are made manually and short extract has to be shared. XMLRPC pingbacks are automated and no short extract needs to be shared.
  • Provision of accessing your website remotely and able to make changes – Let us assume a situation where you have to make changes to your WordPress blog, but unfortunately you don’t have access to your laptop or computer.

You can install the WordPress application on your smartphone  to post to your website. The app can carry out this with the help of a feature known as remote access which is enabled by a file known as xmlrpc.php.

  • Enables JetPack plugin to connect to – In the past couple of years, the plugin has gained immense popularity across the globe. With JetPack plugin, you can design, secure and grow your WordPress website. If you use an amalgamation of the WordPress app and JetPack, you will need the xmlrpc.php file for its smooth functioning.

How to disable XMLRPC in WordPress?

Why not just disable xmlrpc altogether

It is easy to do this with the help of the plugin discussed above; however, if you use famous plugins such as JetPack then those plugins will stop working completely.

This is where we will discuss three ways using which you can easily disable XML-RPC in WordPress website.

1. Disable XML-RPC in WordPress 3.5

All you have to do is paste the following code in a site-specific plugin:

add_filter('xmlrpc_enabled', '__return_false');

2. Disabling XML-RPC with a plugin –

Since there are multiple plugins in the WordPress repository, disabling xmlrpc.php will be easy-peasy. We are going to show you how to do it, step by step, with the help of ‘disable xmlrpc plugin’.

  •     In the first step, you need to login to your wp-admin dashboard. Once you have logged in, you have to go to Plugins.
  •     You will see add new next to the plugins.

plugin disable xmlrpc

With the help of a search bar, you need to look for disable Xmlrpc. You need to see the following plugin in the results –

plugin disable xmlrpc wordpress

This is where you need to activate and install a disable xmlrpc plugin. Once you activate the plugin, the xmlrpc feature will be disabled. The version of your WordPress website must be 3.5 and above.

Since the plugin is free, so you should keep a check on the regular updates that the plugin receives, ensuring that it is still   in use by its creator.

WordPress Disable Xmlrpc Plugins

Disable XML-RPC

This plugin will work on WordPress website version running on 3.5 or above. WordPress websites running on version 3.5 or above, xmlrpc is enabled by default. Furthermore, the option that enables and disables the xmlrpc was removed. There are numerous reasons due to which the owners may want to disable the functionality. Using this plugin, it can be easily done. Here is how you can install this plugin –

  •     To install this plugin, you need to upload the xmlrpc directory to the /wp-content/plugins/directory while you install WordPress.
  •     You can activate the plugin by going through the ‘Plugins’ menu in WordPress.
  •     At this stage your xmlrpc is disabled.

Remove & Disable XML-RPC Pingback         

You don’t have to be a victim of pingback denial of service attacks. Once you have activated the plugin, xml-rpc is disabled automatically. The best thing about this plugin is that you don’t have to configure anything. When you disable xmlrpc pingback, you will be able to cut down the server CPU usage.

wordpress XMLRPC pingback attack


Install the plugin using the WordPress dashboard –

  • In the plugins dashboard, you need to navigate to the ‘Add New’.
  • This is where you need to look for ‘Remove XMLRPC Pingback Ping’.
  • At this stage, you need to hit ‘Install Now’.
  • Now, you have to activate the plugin on the plugin dashboard.

Uploading in WordPress Dashboard –

  • In the plugin dashboard, you need to navigate to the ‘Add New’.
  • Move to the ‘Upload’ area.
  • This is where you need to select from your laptop/computer.
  • You need to hit ‘Install Now’.
  • Now, you have to activate the plugin on the plugin dashboard.

Using FTP –

  • In the first step, you need to download
  • You have to extract the remove-xmlrpc-pingback-ping directory to your laptop/computer.
  • At this stage, you need to upload the remove-xmlrpc-pingback-ping directory to the /wp-content/plugins/ directory.
  • Now, you have to activate the plugin on the plugin dashboard.


This is one of the most effective WordPress plugins which helps you fight against a brutforce attack. The plugin does this by blocking the login for the IP once it has reached the highest retires allowed. With the help of this plugin, you can easily blacklist or whitelist IPs for login purposes. Loginizer also provide the accessibility to use passwordless login to your wordpress site. You have the provision of using features like – reCAPTCHA, PasswordLess Login, Two Factor Author, etc.

Follow the below-mentioned steps to install the plugin –

  • First and foremost, you need to login to your WordPress admin panel.
  • The second step involves going to the Plugins tab, subsequently moving on to Add New.
  • This is where you have to look for Loginizer.
  • Hit the button of Install Now.
  • To activate the plugin, you need to hit the button of Activate.
  • Go to your dashboard, moving on to Settings, then on to Loginizer.
  • It is up to you whether you want to configure settings or want to use the default settings.
  • This is done and you are ready to go.

Simple Login Captcha  

All you need is a random three-digit number for WordPress login. You can see the correct number which is displayed above the field through a JavaScript code. The best thing about the plugin is that it is compatible with WooCommerce login form.

Pretty much like any other plugin, you just need to install and activate the plugin. It lacks settings.

  • Firstly, you need to visit your Plugins Add New Screen.
  • You can look for the plugin by searching Simple Login Captcha.
  • Hit the button of ‘Install Now’ to install the plugin.
  • Hit the button of ‘Activate’ to activate the plugin.

3. Disabling XML-RPC via .htaccess –

Talking about Apache web server software, .htaccess files alter the configuration of the files. As a result, before it gets passed on to WordPress, the access requests are disabled.

You can easily disable xmlrpc in WordPress by following the below-mentioned steps –

  • With the help of File Transfer Protocol client – Filezilla, you can easily access your website.
  • Now, you need to access .htaccess in your root folder.
  • There can be a situation where the default settings may hide the file. If you come across such a situation, go to the settings and hit the button of ‘Show Hidden Folders’. You have to ensure you have saved the changes. At this stage, you should be able to view your file.
  • Once you have opened the file, you need to type in the below-mentioned code –
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from

At last, save all the changes you have made and you are good to go.

If you still have any query or doubt regarding how to disable xmlrpc in WordPress, you can get in touch with us and our expert team will help you out.

Also check out our GUIDE ONMost Common WordPress Errors in 2020

fix wordpress xmlrpc issues help

Other WordPress Issues & Their Fixes:

24/7 WP Security & Malware Removal
Is your site hacked or infected with malware? Let us get it fixed for you
Secure My Website(s)