Disable WordPress XML-RPC requests
WordPress uses an implementation of the XML-RPC protocol in order to extend functionality to software clients.
This Remote Procedure Calling protocol allows commands to be run, with data returned formatted in XML.
Beginning with WordPress 3.5 the XML-RPC functionality is enabled by default, without a way to disable.
Do I need WordPress XML-RPC?
Most users don't need WordPress XML-RPC functionality, and it's one of the most common causes for exploits.
All of the WordPress XML-RPC requests are remote POST requests to the xmlrpc.php script.
A full list of the different requests that can be made via XML-RPC can be found at XML-RPC WordPress API
Block WordPress xmlrpc.php requests with .htaccess
I want to send WordPress XML-RPC requests from my fictional IP address of 18.104.22.168.
So I can deny all requests to the xmlrpc.php file, except for that IP, using the following .htaccess rules:
# Block WordPress xmlrpc.php requests <Files xmlrpc.php> order deny,allow deny from all allow from 22.214.171.124 </Files>
If you didn't need any IP addresses to use XML-RPC requests, just don't use any allow lines.
Support Center Login
Social Media Login
2015-02-27 4:49 pm
By completely blocking xmlrpc.php, isn't this also disabling the legitimate use of it for pingbacks?
2015-06-28 11:54 am
My WP site just got hacked by some Bangladesh' hackers group. Looking through access logs I discovered xmlrpc.php was flooded with POST requests. No FTP was used in the attack, so I assume hackers must have gained access through the xmlrpc. Disabled permanently.
Thank God they didn't do more damage.