Are you searching for an easy way to disable XML-RPC in your WordPress website?
In this tutorial, we have shared multiple ways to do this easily.
XML-RPC was created to facilitate communication between WordPress and other systems.
In other words, it is a feature in WordPress that allows the transfer of data and was introduced to let users post their blogs using a weblog client.
Often this feature is exploited by hackers and it is recommended that you block it as it is by default active in every WordPress installation.
As mentioned above, there are multiple ways using which you can disable XML-RPC in WordPress.
We recommend using the Solid Security plugin for this.
It is a popular WordPress security plugin available for free and with just a few clicks you can disable XMLRPC.
Below we have listed all the ways.
Deactivate XML-RPC using a plugin
If you are searching for an easy and no-code way to block XML-RPC in your WordPress site then this is the method for you.
We will be using the Solid Security plugin for this.
This method is best for beginners as you do not have to edit any website-related files.
All you have to do is install the Solid Security plugin and select the option that disables this feature in WordPress.
Coming to the process.
Once you have the Solid Security set up, the first step is to navigate to Settings under Security in your WordPress dashboard.
This will show you all the Solid Security Global Settings along with a few more options on the left.
Here you need to click Advanced and it will show you WordPress Tweaks settings.
In the next step, you have to click the WordPress Tweaks Settings dropdown and it will show you the Disable File Editor option followed by API Access settings under which you will find the XML-RPC dropdown.
You will get 3 options to choose from
- Enable XML-RPC (By default selected)
- Disable XML-RPC
- Disable Pingbacks
Here you are required to select the disable XML-RPC option and Save changes.
And that’s it you have successfully disabled XML-RPC in your WordPress website.
Disable XMLRPC using a filter
If you are looking for a code snippet to block xmlrpc.php in your WordPress website then this method is for you.
In this method, you will have to add the code snippet below in the functions.php file or a site-specific plugin.
add_filter( 'xmlrpc_enabled', '__return_false' );
In case you are wondering where will you find the functions.php file then follow the steps below.
You will find the functions.php file in the Theme File Editor inside your WordPress dashboard.
If you are using a customizer-based theme such as Kadence, Astra, Hello, and more then you will find the Theme File Editor under Appearance in your WordPress admin.
For block theme users, you will find Theme File Editor under Tools in your WordPress dashboard.
Once you have located the Theme File Editor, you need to click it to open and it will show you all the theme-related files.
Here you will have to find the functions.php file and click to open it.
In the next step, you will have to add the code snipped mentioned above towards the end and save changes by clicking Update File.
See the screenshot below for reference
And that’s it you have successfully disabled xmlrpc.php in WordPress using a code snippet.
Before we move forward, there are a few things you need to know if you are using this method
- We recommend installing a child theme before editing Theme files as it will retain the code snippet when updating the theme.
- Use a separate functions.php file for your Child theme. Create a copy of the Parent theme functions.php file.
- In case you are unable to find the functions.php file then you will have to visit the file manager in your web hosting dashboard or cPanel and edit it there.
- If Theme File Editor is missing in your WordPress dashboard then most likely you have disabled file editing and in this scenario, you will have to edit the functions.php file through your web hosting dashboard, cPanel, or using FTP.
Again, just a word of caution- If you are new to WordPress or are not yet comfortable editing theme files then we recommend that you use the plugin mentioned above (Solid Security) to disable xmlrpc in WordPress.
Block XML-RPC through .htaccess
If you know your way around WordPress and want to disable XML-RPC through .htacess then this part of the tutorial is for you.
Please Note– If you are new to WordPress then this method is not for you. A slight mistake here will lead to your site going down. Also, .htaccess is a file that you will Apache servers and not on nginx. In case your site is hosted on nginx server then we recommend contacting your web hosting company for this.
To disable XML-RPC using this method, you will need the code snippet shared below.
<files xmlrpc.php>
Require all denied
Order allow,deny
Deny from all
</files>
Now that you have the code snippet, you will have to add it to the .htacess file which you will find in your web hosting dashboard or cPanel.
Another thing that you have to know here is that some SEO plugins allow you to edit the .htaccess file through your WordPress dashboard which makes the process easier.
However, we do not recommend doing it.
Reason– At times changes aren’t reflected which can leave you confused. Also, it is a security risk.
Personally speaking, we use Squirrly SEO and it comes with all the features we need for optimizing our pages and posts for search engines.
Check if XMLRPC is deactivated
Once you are done disabling XML-RPC in your WordPress website, the next step is to check if it is blocked.
For this, you need to visit https://your-site.com/xmlrpc.php and it will show you a Forbidden error letting you know that it is successfully disabled.
Please Note– In the above URL, you need to replace your-site.com with your website’s domain name.
And this shows you have successfully disabled XML-RPC on your WordPress site
FAQ
What is XML-RPC
XML-RPC is a core WordPress API that allows communication between WordPress and 3rd party software and services.
As the name suggests XML stands for extensible markup language and RPC stands for remote procedure call.
XML-RPC uses HTTPS as transport and XML as encoding for remote procedure calls.
Simply put, XMLRPC is used for transmitting, processing, and returning complex data structures.
This API has been a part of WordPress since 2003, however, it was disabled by default in the beginning.
It was only after the release of WordPress 3.5 that it now is enabled by default.
According to WordPress security experts, XML-RPC is outdated and can lead to your site getting hacked.
This is the reason why XML-RPC has now been replaced with the REST API.
It is important to know that in WordPress the xmlrpc.php file contains all of the code related to this API.
You will find this file in the root directory of your WordPress installation.
What is the purpose of XML-RPC.php?
As mentioned above, xml-rpc.php is a file in WordPress that contains code and systems related to XML-RPC API.
This API allows the transfer of data between WordPress and other software and services.
For example, if you are using software to publish and manage posts on your site then chances are it must be using XML-RPC.
Why disable XML-RPC in WordPress
XML-RPC has been around for a while and its first implementation dates back to April 1998 in Frontier.
This was even before WordPress was released.
Since its release, XML-RPC has been consistently updated. However, over the years it has gotten a bad reputation as it can be exploited.
Remember, the problem is not XML-RPC but how it is implemented by different users to connect with your site which can lead to cybersecurity risks.
For example, the Jetpack plugin by WordPress still uses XML-RPC.
If you are not using a service or a plugin that requires XML-RPC, it is recommended that you disable it.
Which is the best way to disable XML RPC in WordPress?
We recommend you use the Solid Security plugin to disable XML-RPC in WordPress.
Here is the reason why.
This feature is included in the free version of the plugin and with just a few clicks you can disable XML-RPC in your WordPress site.
Other than this, using a plugin removes the hassle of editing theme-related files for adding code.