XML-RPC is an older WordPress communication protocol that still powers some remote publishing and app integrations.
This guide explains how to disable XML RPC in WordPress, when doing so makes sense, and what to check before and after you change it.
What XML-RPC Does in WordPress
XML-RPC is a web service protocol that allows external applications to communicate with a WordPress site.
Historically, it enabled features such as remote post publishing, trackbacks, and connections from mobile apps or desktop editors.
Today, the WordPress REST API handles many modern integrations, but XML-RPC still exists for backward compatibility.
That compatibility is useful for some workflows, yet it also makes XML-RPC a common target for automated attacks.
Why Site Owners Disable XML-RPC
Many administrators disable XML-RPC to reduce exposure to brute-force attempts and pingback abuse.
In security logs, XML-RPC often appears in repeated login attempts because attackers can use it to test many usernames and passwords efficiently.
Disabling it can also reduce noise from unnecessary requests and help harden smaller sites that do not rely on remote publishing.
For WordPress sites with simple publishing workflows, the security benefit may outweigh the convenience of keeping it on.
Common Risks Associated with XML-RPC
- Brute-force amplification: Attackers can send multiple login attempts through a single request.
- Pingback abuse: Malicious actors may use pingbacks to trigger outbound requests from your server.
- Legacy attack surface: Older functionality can remain enabled even when it is no longer needed.
When You Should Keep XML-RPC Enabled
Not every site should disable XML-RPC.
If you use the WordPress mobile app, some desktop blogging tools, Jetpack features, or legacy remote publishing services, XML-RPC may still be required.
Multisite environments, editorial teams using third-party posting software, and older integrations may also depend on it.
In those cases, a partial restriction approach may be better than a full shutdown.
How to Disable XML RPC in WordPress
There are several ways to disable XML-RPC in WordPress.
The safest method depends on your hosting setup, comfort level with server configuration, and whether you need the feature for anything.
Method 1: Use a Security Plugin
Many WordPress security plugins include a setting to disable XML-RPC with one click.
This is usually the easiest option for non-technical users because it avoids manual code changes.
Common plugin features may include XML-RPC blocking, brute-force protection, and login rate limiting.
If you already use a security plugin, check whether it offers XML-RPC controls before adding new tools.
Method 2: Add a Code Snippet
You can disable XML-RPC by adding a small snippet to your theme’s functions.php file or, preferably, a site-specific plugin.
Using a custom plugin is safer because it will not disappear when you change themes.
A typical approach uses the xmlrpc_enabled filter to return false.
This disables XML-RPC at the WordPress level while keeping the rest of your site intact.
add_filter('xmlrpc_enabled', '__return_false');
After adding the snippet, test your site, especially if you use remote publishing or app-based workflows.
If a service stops working, you may need to remove the snippet or choose a more selective restriction method.
Method 3: Block XML-RPC at the Web Server or CDN Level
Advanced users can block requests to xmlrpc.php through Apache, Nginx, a web application firewall, or a CDN such as Cloudflare.
This approach can reduce server load because the request is stopped before it reaches WordPress.
Server-level blocking is useful if your hosting environment supports it and you want stronger protection against automated traffic.
However, it may require more technical maintenance than a plugin-based setting.
Method 4: Restrict Specific XML-RPC Functions
If you need XML-RPC for limited use cases, you can restrict only the functions that create risk.
For example, some administrators block pingbacks while leaving other XML-RPC methods available for trusted tools.
This approach takes more effort but offers a balanced compromise for sites that cannot fully disable the protocol.
It is especially relevant for teams that rely on a few legacy integrations.
How to Verify That XML-RPC Is Disabled
After disabling XML-RPC, confirm that the endpoint is no longer accessible.
The usual test is to visit /xmlrpc.php directly or use a security scanner that checks WordPress endpoints.
You may see a blocked response, a 403 error, or a message indicating that XML-RPC is disabled.
The exact result depends on whether you blocked it in WordPress, at the server, or through a security layer.
What to Check After Disabling It
- Mobile publishing apps still function if you need them.
- Jetpack or other connected services continue working, if applicable.
- No unexpected 404, 403, or timeout errors appear in logs.
- Login workflows and XML-RPC-based automation are not broken.
XML-RPC vs REST API
WordPress now relies heavily on the REST API for modern integrations.
Unlike XML-RPC, the REST API uses JSON and is generally easier for developers to work with in current applications.
Disabling XML-RPC does not disable the REST API.
That distinction matters because many site owners want to improve security without breaking modern features that depend on the newer API.
Security Best Practices After Disabling XML-RPC
Disabling XML-RPC is only one layer of hardening.
To keep your WordPress site safer, pair it with additional controls that reduce login abuse and endpoint scanning.
- Use strong, unique administrator passwords.
- Enable two-factor authentication for admin accounts.
- Limit login attempts or use rate limiting.
- Keep WordPress core, themes, and plugins updated.
- Use a Web Application Firewall to filter malicious traffic.
- Remove unused plugins and themes to reduce attack surface.
For high-traffic sites, monitor logs regularly so you can detect whether attackers are still targeting xmlrpc.php or other endpoints.
Security tools often reveal patterns before they become incidents.
Choosing the Right Approach for Your Site
If you are deciding how to disable XML RPC in WordPress, start by identifying which tools and services actually depend on it.
A full disable is simplest for many sites, but a partial restriction may be better if you rely on older publishing apps or specific integrations.
For most site owners, a security plugin or small code snippet is enough.
Larger sites or managed hosting environments may benefit from server-level blocking or firewall rules for stronger protection and better performance.