Digital Marketing

How to block XML-RPC on WordPress

By Pierre, on March 29, 2021, updated on November 29, 2022 - 2 min read

XML-RPC allows communication between WordPress and other systems. It has been present since the beginning of WordPress and has been used for exchanges with the mobile application, other blogging platforms or the all-in-one extension JetPack, among others. The REST API has replaced the XML-RPC. XML-RPC is no longer useful and it is recommended to disable it, especially since it is sensitive to Brute Force and DDoS attacks due to its specificities. The REST API is totally stable since many versions of WordPress. The XML-RPC is certainly living its last days, it has become totally obsolete.

Disable XML-RPC with a plugin

The following plugins allow to disable the xmlrpc.php. The first plugin is dedicated only to this task.

Disable XML-RPC (Philip Erb)
https://wordpress.org/plugins/disable-xml-rpc/

Disable xml-rpc plugin philip erb

Disable XML-RPC-API (Neatmarketing)
https://wordpress.org/plugins/disable-xml-rpc-api/

Disable xml-rpc plugin

Cerber Security, Anti-spam & Malware Scan (Cerber Tech Inc.)

wp cerber security anti spam

Clearfy (Creative Motion)

Loginizer (Softaculous) in its pro version

Disable the xmlrpc.php via the .htaccess file

In your .htaccess file, you just have to add the following code:

# BEGIN Disable XML-RPC request
<Files xmlrpc.php>
order allow,deny
deny from all
</Files>
# END Disable XML-RPC

Disable xmlrpc.php on your server

If you are on a Nginx server, ask your Sysadmin to add the following code to the Nginx.config file:

# nginx block xmlrpc.php requests
location ~* ^/xmlrpc.php$ {
return 403;
}

Block xmlrpc.php with wp-config.php

You can also add a filter at the end of the wp-config.php file. This will disable the XML-RPC. Add the code below just after the last ABSPATH statement:

add_filter('xmlrpc_enabled', '__return_false');

Disable the xmlrpc via the function.php file

Warning: this code has not been checked lately. To be tested on a site under development.

add_filter(‘xmlrpc_enabled’, ‘__return_false’);
// deactivate x-pingback HTTP header
add_filter(‘wp_headers’, function($headers) {
unset($headers[‘X-Pingback’]);
return $headers;
});
// deactivate pingbacks
add_filter( ‘xmlrpc_methods’, function( $methods ) {
unset( $methods[‘pingback.ping’] );
return $methods;
} );
remove_action( ‘wp_head’, ‘rsd_link’ );

How to test if the XML-RPC is disabled

Once the module is installed and configured or once you have used one of the other methods, you can check if the XML-RPC is blocked with the following website: https://xmlrpc.eritreo.it/. Enter the URL of your site in the Address field and click on Check. If the XML-RPC is blocked, you will get the following result:

image 3

Note that it is not wise to just delete the xmlrpc.php file from your WordPress folder. It is possible that this will cause errors on your website and the file will reintegrate the code during the next WordPress updates.

Pierre