InMotion Hosting Support Center

WordPress uses an implementation of the XML-RPC protocol in order to extend functionality to software clients.

This Remote Procedure Calling protocol allows commands to be run, with data returned formatted in XML.

Beginning with WordPress 3.5 the XML-RPC functionality is enabled by default, without a way to disable.

Do I need WordPress XML-RPC?

Most users don't need WordPress XML-RPC functionality, and it's one of the most common causes for exploits.

Some clients such as the official WordPress Mobile Apps and Blogger use XML-RPC requests to function.

All of the WordPress XML-RPC requests are remote POST requests to the xmlrpc.php script.

A full list of the different requests that can be made via XML-RPC can be found at XML-RPC WordPress API

Block WordPress xmlrpc.php requests with .htaccess

I want to send WordPress XML-RPC requests from my fictional IP address of 123.123.123.123.

So I can deny all requests to the xmlrpc.php file, except for that IP, using the following .htaccess rules:

# Block WordPress xmlrpc.php requests

order deny,allow
deny from all
allow from 123.123.123.123

If you didn't need any IP addresses to use XML-RPC requests, just don't use any allow lines.

Support Center Login

Our Login page has moved, Click the button below to be taken to the login page.

Social Media Login

   
Social Login Joomla

Related Questions

Here are a few questions related to this article that our customers have asked:
Ooops! It looks like there are no questions about this page.
Would you like to ask a question about this page? If so, click the button below!
Ask a Question
n/a Points
2017-03-11 8:15 am

I'm using nginx for wordpress and and I can see there are many request for xml-rpc file being made that is causing un-necessary blocking of server.

Please help to bloxk xml-rpc on nginx, site is : http://dealslama.com

Staff
422 Points
2017-09-25 12:07 pm
Hello,

If you wanted to block access to the xmlrpc.php in NGINX you can add the entry below to your NGINX configuration. This entry uses the 444 Response which is unique to NGINX and will cause NGINX to terminate the connection to the client requesting it without sending a response which will help save processing power/bandwidth if your server is being attacked.


location = /xmlrpc.php {
deny all;
access_log off;
log_not_found off;
return 444;
}


Best Regards,
Kyle M
n/a Points
2016-05-15 6:14 am

There is a module for that here: https://wordpress.org/plugins/disable-xml-rpc/

n/a Points
2015-10-09 12:53 pm

As of February 2015, a plugin disables XML-RPC to where it's not a problem: https://wordpress.org/plugins/disable-xml-rpc

n/a Points
2015-09-21 3:47 pm

you can disable per the following.

WordPress v3.5 introduces the filter xmlrpc_enabled:

add_filter('xmlrpc_enabled','__return_false');

You can add this code to your wp_config.php after the line require_once(ABSPATH .'wp-settings.php'); if you want to disable XML-RPC for your site. Surely a better solution is to create a small plugin.

n/a Points
2015-06-28 11:54 am

My WP site just got hacked by some Bangladesh' hackers group. Looking through access logs I discovered xmlrpc.php was flooded with POST requests. No FTP was used in the attack, so I assume hackers must have gained access through the xmlrpc. Disabled permanently.

Thank God they didn't do more damage.

2015-02-27 4:49 pm
By completely blocking xmlrpc.php, isn't this also disabling the legitimate use of it for pingbacks?
n/a Points
2014-07-30 9:35 am
No suggestions, the explanation was clear and concise.
n/a Points
2014-04-21 4:41 am

These discussion helps me to understand xml rpc

Post a Comment

Name:
Email Address:
Phone Number:
Comment:
Submit

Please note: Your name and comment will be displayed, but we will not show your email address.

9 Questions & Comments

Post a comment

Back to first comment | top

Need more Help?

Search

Ask the Community!

Get help with your questions from our community of like-minded hosting users and InMotion Hosting Staff.

Current Customers

Chat: Click to Chat Now E-mail: support@InMotionHosting.com
Call: 888-321-HOST (4678) Ticket: Submit a Support Ticket

Not a Customer?

Get web hosting from a company that is here to help. Sign up today!