Disable WordPress XML-RPC requests
WordPress uses an implementation of the XML-RPC protocol in order to extend functionality to software clients.
This Remote Procedure Calling protocol allows commands to be run, with data returned formatted in XML.
Beginning with WordPress 3.5 the XML-RPC functionality is enabled by default, without a way to disable.
Do I need WordPress XML-RPC?
Most users don't need WordPress XML-RPC functionality, and it's one of the most common causes for exploits.
All of the WordPress XML-RPC requests are remote POST requests to the xmlrpc.php script.
A full list of the different requests that can be made via XML-RPC can be found at XML-RPC WordPress API
Block WordPress xmlrpc.php requests with .htaccess
I want to send WordPress XML-RPC requests from my fictional IP address of 126.96.36.199.
So I can deny all requests to the xmlrpc.php file, except for that IP, using the following .htaccess rules:
# Block WordPress xmlrpc.php requests <Files xmlrpc.php> order deny,allow deny from all allow from 188.8.131.52 </Files>
If you didn't need any IP addresses to use XML-RPC requests, just don't use any allow lines.
You are NOT logged in. You can still browse our Support Center.
To participate within our Community Support Forum:
2017-03-11 8:15 am
I'm using nginx for wordpress and and I can see there are many request for xml-rpc file being made that is causing un-necessary blocking of server.
Please help to bloxk xml-rpc on nginx, site is : http://dealslama.com
2017-09-25 12:07 pm
If you wanted to block access to the xmlrpc.php in NGINX you can add the entry below to your NGINX configuration. This entry uses the 444 Response which is unique to NGINX and will cause NGINX to terminate the connection to the client requesting it without sending a response which will help save processing power/bandwidth if your server is being attacked.
2018-10-07 12:08 am
@Kyle for Nginx you can also just use the free plugins too:
If you migrate site the rules can be lost in htaccess file, etc. And plugin is support by the Inmotion server too.
2016-05-15 6:14 am
There is a module for that here: https://wordpress.org/plugins/disable-xml-rpc/
2015-10-09 12:53 pm
As of February 2015, a plugin disables XML-RPC to where it's not a problem: https://wordpress.org/plugins/disable-xml-rpc
2015-09-21 3:47 pm
you can disable per the following.
WordPress v3.5 introduces the filter
You can add this code to your
2015-06-28 11:54 am
My WP site just got hacked by some Bangladesh' hackers group. Looking through access logs I discovered xmlrpc.php was flooded with POST requests. No FTP was used in the attack, so I assume hackers must have gained access through the xmlrpc. Disabled permanently.
Thank God they didn't do more damage.
2015-02-27 4:49 pm
By completely blocking xmlrpc.php, isn't this also disabling the legitimate use of it for pingbacks?
2014-07-30 9:35 am
No suggestions, the explanation was clear and concise.