InMotion Hosting Support Center

WordPress uses an implementation of the XML-RPC protocol in order to extend functionality to software clients.

This Remote Procedure Calling protocol allows commands to be run, with data returned formatted in XML.

Beginning with WordPress 3.5 the XML-RPC functionality is enabled by default, without a way to disable.

Do I need WordPress XML-RPC?

Most users don't need WordPress XML-RPC functionality, and it's one of the most common causes for exploits.

Some clients such as the official WordPress Mobile Apps and Blogger use XML-RPC requests to function.

All of the WordPress XML-RPC requests are remote POST requests to the xmlrpc.php script.

A full list of the different requests that can be made via XML-RPC can be found at XML-RPC WordPress API

Block WordPress xmlrpc.php requests with .htaccess

I want to send WordPress XML-RPC requests from my fictional IP address of

So I can deny all requests to the xmlrpc.php file, except for that IP, using the following .htaccess rules:

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from

If you didn't need any IP addresses to use XML-RPC requests, just don't use any allow lines.

Support Center Login

Social Media Login

Social Login Joomla

Related Questions

Here are a few questions related to this article that our customers have asked:
Ooops! It looks like there are no questions about this page.
Would you like to ask a question about this page? If so, click the button below!
Ask a Question
n/a Points
2014-04-21 4:41 am

These discussion helps me to understand xml rpc

n/a Points
2014-07-30 9:35 am
No suggestions, the explanation was clear and concise.
2015-02-27 4:49 pm
By completely blocking xmlrpc.php, isn't this also disabling the legitimate use of it for pingbacks?
n/a Points
2015-06-28 11:54 am

My WP site just got hacked by some Bangladesh' hackers group. Looking through access logs I discovered xmlrpc.php was flooded with POST requests. No FTP was used in the attack, so I assume hackers must have gained access through the xmlrpc. Disabled permanently.

Thank God they didn't do more damage.

n/a Points
2015-09-21 3:47 pm

you can disable per the following.

WordPress v3.5 introduces the filter xmlrpc_enabled:


You can add this code to your wp_config.php after the line require_once(ABSPATH .'wp-settings.php'); if you want to disable XML-RPC for your site. Surely a better solution is to create a small plugin.

n/a Points
2015-10-09 12:53 pm

As of February 2015, a plugin disables XML-RPC to where it's not a problem:

n/a Points
2016-05-15 6:14 am

There is a module for that here:

Post a Comment

Email Address:
Phone Number:

Please note: Your name and comment will be displayed, but we will not show your email address.

8 Questions & Comments

Post a comment

Back to first comment | top

Need more Help?


Ask the Community!

Get help with your questions from our community of like-minded hosting users and InMotion Hosting Staff.

Current Customers

Chat: Click to Chat Now E-mail:
Call: 888-321-HOST (4678) Ticket: Submit a Support Ticket

Not a Customer?

Get web hosting from a company that is here to help. Sign up today!