---
title: "Disable WordPress XML-RPC requests"
description: "WordPress uses an implementation of the XML-RPC protocol in order to extend functionality to software clients. This Remote Procedure Calling protocol allows commands to be run, with data returned..."
url: https://www.inmotionhosting.com/support/edu/wordpress/disable-xml-rpc-requests/
date: 2013-09-05
modified: 2021-08-12
author: "InMotion Hosting Contributor"
categories: ["WordPress Hosting", "WordPress Tutorials"]
type: post
lang: en
---

# Disable WordPress XML-RPC requests

WordPress uses an implementation of the **[XML-RPC](https://codex.wordpress.org/XML-RPC_Support) protocol** in order to extend functionality to software clients.

This **Remote Procedure Calling** protocol allows commands to be run, with data returned formatted in **XML**.

Beginning with **WordPress 3.5** the **XML-RPC** functionality is **enabled by default**, without a way to disable.

## Do I need WordPress XML-RPC?

Most users don’t need **WordPress XML-RPC** functionality, and it’s one of the most common causes for exploits.

Some clients such as the official [WordPress Mobile Apps](https://wordpress.org/mobile/) and [Blogger](https://blogger.com) use **XML-RPC** requests to function.

All of the WordPress **XML-RPC** requests are remote **POST** requests to the **xmlrpc.php** script.

A full list of the different requests that can be made via **XML-RPC** can be found at [XML-RPC WordPress API](https://codex.wordpress.org/XML-RPC_WordPress_API)

## Block WordPress xmlrpc.php requests with .htaccess

I want to send WordPress **XML-RPC** requests from my fictional IP address of **123.123.123.123**.

So I can deny all requests to the **xmlrpc.php** file, except for that IP, using the following **.htaccess** rules:

# Block xmlrpc.php requests
<Files "xmlrpc.php">
order deny,allow
deny from all
allow from 123.123.123.123
</Files>

If you didn’t need any IP addresses to use **XML-RPC** requests, just don’t use any **allow** lines.
