avatar Deluxe Blog Tips About Projects

Disabling XML-RPC in WordPress

While monitoring hits to this blog, I recognize that the file which received most hits is xmlrpc.php. I was surprise because I don't use XML-RPC for remote access, posting at all. I guess the problem may comes from bots, spammers or even hackers. So I decided to disable XML-RPC completely and here is how I did that.

What is XML-RPC?

XML-RPC is a Remote Procedure Call (RPC) protocol which uses XML to encode its calls and HTTP as a transport mechanism. XML-RPC also refers generically to the use of XML for remote procedure call, independently of the specific protocol.

Briefly, you use XML-RPC when you want to do something remotely to your blog such as posting, viewing comments, etc.

How XML-RPC is used in WordPress?

By default, WordPress enables XML-RPC automatically! It creates an API for XML-RPC to let us interact (get, read, edit, post, etc.) posts, comments, taxonomies, media, users and even options which means everything!

But where you can find application of XML-RPC in WordPress? The answer is many places:

  • Pingback
  • iPhone/Android app
  • Remote posting by Microsoft Word for example.
  • Your own apps, perhaps!

How to disable XML-RPC in WordPress

As I said earlier, enabling XML-RPC without knowing about its functionality is no different to open a backdoor for spammers and hackers. It sometimes just wastes your server/hosting resources. Disable it if you don't need.

First of all, you need to turn off XML-RPC functionality in WordPress, using this code (you better put it in a functionality plugin):

add_filter( 'xmlrpc_enabled', '__return_false' );
add_filter( 'pings_open', '__return_false' );

These simple lines tells WordPress to stop all remote requests using XML-RPC. If you can't add the snippet to your website, use the Falcon plugin, which helps you disable XML-RPC and also provides a lot of tweaks and optimizations for your WordPress website.

But there's still a room to improve the performance. Instead of making WordPress handles requests to xmlrpc.php, why don't we make web server like Apache or nginx handle them? Requests will be denied in a lower layer of application, thus improving performance in general.

Denied requests to xmlrpc.php by Apache or nginx

To deny requests to xmlrpc.php in Apache, add this code to .htaccess file:

<IfModule mod_alias.c>
    RedirectMatch 403 /xmlrpc.php


<Files xmlrpc.php>
    Order Deny,Allow
    Deny from all

If you're using nginx, this is the code you should add to server block:

server {
    location = /xmlrpc.php {
        deny all;

That's all. Your blog is fully protected from unexpected remote requests using XML-RPC. And hopefully it saves server resources and improve website performance.

🔥 HOT: Interested in boosting your WordPress SEO? My Slim SEO plugin is a super lighweight and automated plugin that handles most the hard work for you: meta tags, sitemap, redirection, schema & link building.

👉 Have a look and you will love it: wpslimseo.com