Disable WordPress XML-RPC requests

WordPress uses an implementation of the XML-RPC protocol in order to extend functionality to software clients.

This Remote Procedure Calling protocol allows commands to be run, with data returned formatted in XML.

Beginning with WordPress 3.5 the XML-RPC functionality is enabled by default, without a way to disable.

Do I need WordPress XML-RPC?

Most users don’t need WordPress XML-RPC functionality, and it’s one of the most common causes for exploits.

Some clients such as the official WordPress Mobile Apps and Blogger use XML-RPC requests to function.

All of the WordPress XML-RPC requests are remote POST requests to the xmlrpc.php script.

A full list of the different requests that can be made via XML-RPC can be found at XML-RPC WordPress API

Block WordPress xmlrpc.php requests with .htaccess

I want to send WordPress XML-RPC requests from my fictional IP address of 123.123.123.123.

So I can deny all requests to the xmlrpc.php file, except for that IP, using the following .htaccess rules:

# Block xmlrpc.php requests
<Files "xmlrpc.php">  
order deny,allow 
deny from all 
allow from 123.123.123.123
</Files>

If you didn’t need any IP addresses to use XML-RPC requests, just don’t use any allow lines.

InMotion Hosting Contributor
InMotion Hosting Contributor Content Writer

InMotion Hosting contributors are highly knowledgeable individuals who create relevant content on new trends and troubleshooting techniques to help you achieve your online goals!

More Articles by InMotion Hosting

10 thoughts on “Disable WordPress XML-RPC requests

  1. @Kyle for Nginx you can also just use the free plugins too:

    https://wordpress.org/plugins/disable-xml-rpc-littlebizzy/

     

    If you migrate site the rules can be lost in htaccess file, etc. And plugin is support by the Inmotion server too.

  2. I’m using nginx for wordpress and and I can see there are many request for xml-rpc file being made that is causing un-necessary blocking of server.

    Please help to bloxk xml-rpc on nginx, site is : https://dealslama.com

    1. Hello,

      If you wanted to block access to the xmlrpc.php in NGINX you can add the entry below to your NGINX configuration. This entry uses the 444 Response which is unique to NGINX and will cause NGINX to terminate the connection to the client requesting it without sending a response which will help save processing power/bandwidth if your server is being attacked.

      location = /xmlrpc.php {
          deny all;
          access_log off;
          log_not_found off;
          return 444; 
      }
      

      Best Regards,
      Kyle M

  3. As of February 2015, a plugin disables XML-RPC to where it’s not a problem: https://wordpress.org/plugins/disable-xmlrpc

  4. you can disable per the following.

    WordPress v3.5 introduces the filter xmlrpc_enabled:

    add_filter('xmlrpc_enabled','__return_false');

    You can add this code to your wp_config.php after the line require_once(ABSPATH .'wp-settings.php'); if you want to disable XML-RPC for your site. Surely a better solution is to create a small plugin.

  5. My WP site just got hacked by some Bangladesh’ hackers group. Looking through access logs I discovered xmlrpc.php was flooded with POST requests. No FTP was used in the attack, so I assume hackers must have gained access through the xmlrpc. Disabled permanently.

    Thank God they didn’t do more damage.

Was this article helpful? Join the conversation!