Step by Step - Disabling XML-RPC from WordPress

XML-RPC.php file is a script file; added to WordPress to embed remote connectivity facility. This file enables remote connectivity between your WordPress and external app. I know, you didn't understand it clearly, so I keep it simple. This file allows you to post content remotely to your WordPress without login, direct from your mobile devices or another blogging platform. If you have enabled an automated system to post something on your site from the external app or blogging platform, This service allows that app to post robotically on your site. Isn't it a great feature? In earlier days, it was rational but now It opens a big security hole for the attacker. That's why it is recommended to disable XMLRPC from your website.

What is an XML-RPC attack?

This file invites hackers to apply brute-force attacks and DDoS attacks on your site. This file is vulnerable and can be exploited to allow easy access to the admin panel. Attackers will write a single line of code, and that code will start a brute-force attack service against your websites using various combinations of usernames and passwords. In this way, all your security arrangements for the server will be bypassed and attackers will gain access to your website easily.

Do I need XML-RPC.php file?

The answer is very simple, if you're using remote posting to your site then keep it enabled but if you log in to WordPress directly to manage and post something then you don't need to keep it enabled. Securing a web server is a great concern for administrators these days and leaving this file enabled is another big security flaw for the webserver.

how to check if XML-RPC is enabled?

I know, you are looking for a direct and easy tool to test whether this file is enabled or not on your site but telling you honestly there are no direct ways to test it. However, there are dozens of websites are there that claim to test XML-RPC but they don't work. So, here I am listing some useful methods by which you can determine whether this service is enabled on your WordPress or not.

1. Check if the XMLRPC server is installed on your server or not.

Step 1: Open your site in the browser followed by /xmlrpc.php. for example
Step 2: If your site has an XMLRPC server installed, then you will see the following message.

XML-RPC server accepts POST requests only.

2. Check If the XML-RPC server is enabled or disabled on my site.

Step 1: You need to use your mobile device (android or ios) to check whether this server is enabled or disabled on your WordPress site.
Step 2: Go to the play store or iOS store and search WordPress app, download and install it on your mobile device.
Step 3: Open the WordPress app on your mobile, and click on Enter your existing site address button.
Step 4: Enter the full site address, and click on Continue.
Step 5: Fill in your WordPress admin panel Username and Password and then click on the Continue button. If this service is disabled, then you will see the following message.
XML-RPC services are disabled on this site.   xml-rpc_server_is_disabled

If this service is enabled, then it will allow logging in you and you will be redirected to the admin area on your site.

Coffee Request!

It takes time and hardwork to manage and keeping alive this site. Meanwhile, we need coffee to be refereshed. Can you please buy a coffee for me!

How to disable XMLRPC.php from WordPress?

Method 1: Disable using the free plugin

This is the easiest and most convenient way to disable this file. It is easy, fast, and requires no programming or technical knowledge. If you know, how to find, install and activate the plugin, that’s ok. There are lots of plugins out there, but it is recommended to use Disable XML-RPC plugin. This plugin is very simple and no need to configure it. Just install and activate it to disable XMLRPC API. If you want to re-enable this server again, then disable this plugin.

Step 1: Log in to WordPress and go to Plugin ➜ Add new.
Step 2: Search Disable XML-RPC, select the first result and click on the Install now button. Alternatively, you can go to download this file. search_xml_rpc
Step 3: After installation, click on the Activate button to activate it.

Now, XML_RPC service has been blocked and no one will use this feature to attack your website.

Method 2: Using .htaccess file

Most of the users don't want to use an extra plugin for their website. If you don't like to use plugins, then you can do the same work using the .htaccess file. In this method, just add a few lines of codes in your .htaccess file, and done!

Step 1: Open .htaccess file. Either you can open it using the FTP client like Filezilla or using the web hosting file manager.
Step 2: Add the following code in the .htaccess file, save it and upload it.

# Block WordPress xmlrpc.php requests

order deny,allow
deny from all

Step 3: Now check again using the above method whether XML_RPC server is disabled or not.


In this article, I have explained what is XMLRPC.php file and why it is recommended to disable it for security purposes. This file is vulnerable to WordPress and can allow attackers to gain access to your site. This article explains how to find if XML_RPC server is enabled and the solution to disable it.

  Related articles