Looking for a WordPress disable XMLRPC plugin? Or, perhaps you want to disable XMLRPC manually via a short code snippet? Look no further because in this article we will show you how to disable XMLRPC using both methods.
But before we dive into the steps for both methods, we’ll try to address some basic questions that you are probably thinking of, like:
- How big of a security threat is XMLRPC?
- Why does it exist in the first place?
- Is disabling the XMLRPC enough?
Rest assured, we will answer all your burning questions. Now, let’s get started. Here’s what we’re going to cover:
📚 Table of contents:
When not to disable XMLRPC?
The XMLRPC was developed to enable WordPress to communicate with other systems. For instance, using the WordPress application on your mobile requires XMLRPC.
These days, you don’t really need XMLRPC because of the REST API which now transfers data between WordPress and other systems.
That said, XMLRPC is still included in a WordPress install because of backward compatibility. We all know that keeping your website up to date is extremely important, but there are cases in which website owners decide to hold back on updates. And if their site is running on a version that predates the REST API, then it’s better to keep the XMLRPC file enabled.
However, as you may already know, the biggest downside of keeping the XMLRPC file enabled is that it’s known to introduce vulnerabilities to a WordPress website. Hence, we strongly suggest installing a WordPress security plugin on your site to keep hackers at bay.
You may want to hold on to the PHP file (i.e. XMLRPC.php) when you are using an application that can’t access the REST API but can access the XMLRPC. In this particular case, XMLRPC is just a temporary solution and we highly recommend that you find an application that is compatible with the REST API.
Now that you know when not to disable the XMLRPC, let’s look at all the valid reasons why you should disable the PHP file:
The common reason to disable the XMLRPC file is that it makes your website vulnerable to hack attacks, like DDoS and brute force attacks. The PHP file also tends to use up a lot of your server resources, making your website super slow.
Some plugins, like Jetpack, are known to run into issues with XMLRPC.
So, if you want to disable the XMLRPC file, follow the steps below.
How to disable XMLRPC
There are two ways to disable the XMLRPC file. You can do it by using a plugin or manually. We cover both methods below. Let’s dive in…
Important – Before you proceed further, make a backup of your entire website. To follow this tutorial, you need to install a plugin or modify your WordPress files. Websites are often known to break when a new plugin is installed and modifying files is a risky business. Backups are a safety net that you can fall back on during unfortunate circumstances. So, make sure you are taking a backup before you proceed.
WordPress disable XMLRPC with a plugin
There are plenty of plugins that’ll disable XMLRPC on your WordPress website. In this tutorial, we are going to use the most popular one: Disable XML-RPC. If you can’t use it, then you can try one of the following alternatives:
Pro Tip: Do you have a security plugin installed on your website? Then inquire whether you can disable XMLRPC using that security plugin. For instance, iThemes can disable XMLRPC with the click of a button.
Now, let’s disable XMLRPC using the Disable XML-RPC plugin.
Download and install the Disable XML-RPC plugin on your WordPress website. And that’s it. The plugin will automatically disable the PHP file without you having to raise a finger.
Using plugins is a great way to resolve issues on a WordPress website, but there is a downside to installing plugins. It consumes a lot of your server resources. That’s why the manual way might be preferable to many website owners.
WordPress disable XMLRPC manually
There are three ways to manually disable the XMLRPC. You can do it by using a filter or by modifying the .htaccess or the .config files. Let’s try all of them out.
Disable using the .htaccess file
To edit the .htaccess file, you will need to open your hosting account, go to cPanel → File Manager → public_html → .htaccess. Just right-click and select Edit on the .htaccess file. Next, insert the following code at the end of the file:
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>Don’t forget to hit save before closing the window or tab.
Side Note: If you have never dealt with the backend of your WordPress website, then editing the .htacess file will be a daunting task. We recommend learning more about the functions and importance of the file and then trying out various methods to edit the .htaccess file.
Disable using config file
Before we show you the steps, here’s a disclaimer. This particular method is effective only if your website is hosted on a Nginx server.
Not sure whether your website is hosted on Nginx? Here’s how you can find out:
1. Right-click anywhere on your website and then select Inspect.
2. Go to Network and you’ll be asked to reload the website. Next, select All.
3. A list of data appears under a section called Name. Click on any of the data and on the side panel, go to header and scroll down. You should see the name of your server.
If your site is hosted on Ngnix, then proceed to the next step.
The config file can be found in the same folder where the .htaccess is located. Just open your hosting account and go to cPanel → File Manager → public_html → wp-config.php. Right-click on the file and select Edit. Insert the following code into the file:
location ~* ^/xmlrpc.php$ {
return 403;
}
After saving the settings, if you open the XMLRPC file from your website’s frontend, it’ll throw a 403 error. See for yourself. Simply add /xmprpc.php (https://yourwebsite.com/xmlrpc.php) to the end of your website and hit enter.
Disable using a filter
You can disable the XMLRPC file by writing a plugin and then adding the following filter to the plugin and making sure that the plugin is installed and activated on your website.
add_filter( 'xmlrpc_enabled', '__return_false' );As you can understand, this particular option is ideal for developers. For people with ordinary technical abilities, we suggest the config or .htaccess file options.
Nothing worked?
If you tried the steps we have shown in this article but couldn’t achieve the desired results, then talk to your hosting provider. They should be able to tell you what’s going wrong and how to disable XMLRPC on your WordPress website.
Conclusion
Disabling XMLRPC will ensure that your website is secure from certain types of hack attacks, like DDoS and brute force attacks. But there are plenty of other ways to invade your website, so we recommend following our guide on WordPress security to ensure complete protection of your WordPress site.
That’s all for this one, folks! Were you able to disable XMLRPC on WordPress? Let us know in the comments below.