XML-RPC is a core WordPress API that allows users to connect to their WordPress website using third-party apps, tools, and services The xmlrpc.php which is stored in the root directory of your site allows remote connection to WordPress and is enabled by default on WordPress since version 3.5.
It will be impossible for various tools and publishing applications to access the website remotely without XML-RPC except logging directly into the system. However, the REST API has replaced this feature, but WordPress still have it installed due to backwards compatibility.
The biggest downside of keeping the XMLRPC file enabled is that it makes your website vulnerable to hack attacks, like DDoS and brute force attacks and makes your website slow due to the PHP file eating up a lot of server resources. It is pointless to delete the file, as it will be recreated after a
wordpress update. Deleting the xmlrpc.php file will not help, as it might disrupt the dependent functionality of some 3rd-party apps and plugins to interact with wordpress. Disabling it is the best option to keep your site secured. You can disable it by using a plugin or adding some code in your .htaccess file.
Method 1: Disabling Xmlrpc.php With Plugins
Installing a plugin is the easiest and fastest way to disable XML-RPC in WordPress.
- Log in to your WordPress admin dashboard using yourdomain/wp-admin
- Go to Plugins
- Search for Disable XML-RPC using the search box in the top right corner and install it
- Once the plugin is installed, click on Activate to activate the plugin on your site and the xml-rpc.php file should be disabled
- And you’re all set. This plugin will automatically insert the necessary code to turn off XML-RPC.
Method 2: Disabling Xmlrpc.php by Adding a Code in your .htaccess File
The code is simple and can be of great use if you do not want to worry about new plugins consuming your server resources. You can manually disable XML-RPC using this method and stop xmlrpc.php requests before it gets to WordPress.
- Find and edit the .htaccess file within file manager or use your FTP client to locate this file.
- You may have to turn on the ‘show hidden files’ to access .htaccess.
- In the top right of the File Manager, click on Settings and check the button “show hidden files.”
- Click save and you will now see your .htaccess file.
- Open up your .htaccess file.
- Paste the following code inside your .htaccess file:
Block WordPress xmlrpc.php requests
order deny,allow deny from all allow from xxx.xxx.xxx.xxx
Now “Save” the file. It’s that simple. The remote connection using XMLRPC.PHP has been denied.
You can remove this line ‘allow from xxx.xxx.xxx.xxx’ completely or change xxx.xxx.xxx.xxx to the IP address that can access xmlrpc.php
When a new plugin is installed or a file is modified, it can often break your website, which might be risky. Not to worry, we provide backups which is a safety net should in case you have a broken website.
Disabling this feature eliminates the risk of external attacks from gaining access to your website.
According to the contributors, the programming of xmlrpc.php is as secure as the rest of the core files of a hosted WordPress website. If you require some of the functions needed for remote publishing on your website and the Jetpack plugin. We are going to show you how to enable xmlrpc.php.
So if you use any of the following resources to disable it, simply redo your settings or erase the code to re-enable it.
Disabling XML-RPC on WordPress might not be the only solution to prevent hackers from exploiting your website, you need to install a powerful WordPress
firewall to block out bots and malicious IPs.