How to Disable XMLRPC.PHP in WordPress

How to Disable XMLRPC.PHP in WordPress

A security audit we perform on every site we manage is the disabling of xmlrpc.php in WordPress.

What Is xmlrpc.php?

WordPress includes a feature called XML-RPC that enables data to be transmitted by HTTP and XML to encode the data. The issue with security is that it allows you to access a website from any custom admin software or mobile applications vs. using the browser.

How to disable XML-RPC with a Plugin

Fortunately for the non-techies, there is a free plugin that can do this for you.

Disable XML-RPC WordPress Plugin

Disable XML-RPC

Installation

  1. Upload to the /wp-content/plugins/directory in the plugin panel.
  2. Activate the plugin
  3. Bam!, it is now disabled.

How to Disable XML-RPC Manually

Use the .htaccess file in the root folder. This process is not too complicated, but you need to keep in mind you can easily break the site. Most hosts can perform this change as part of their service. If they do not, get another host as they should take security seriously.

In the root folder where you find your wp-config file, you should see the .htaccess file. If you do not, you need to turn on your hidden files usually in the FTP program there is an option or the file manager in your hosting control panel.

# Block WordPress xmlrpc.php requests
order deny,allow
deny from all
allow from 123.56.789.111

You will want to place under the BEGIN WordPress rules.

# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress


# Block WordPress xmlrpc.php requests

order deny,allow


deny from all


allow from 123.56.789.111


If you do want to allow a specific IP, you can add the last line “allow from 123.56.789.111” and replace 123.56.789.111 with your IP.

That’s it! If you need any help with managing your WordPress website, feel free to comment or contact us.