How to Disable xmlrpc.php in WordPress: A Step-by-Step Guide

WordPress has always included features that allow you to interact with your site remotely. For a long time, the solution was a file called xmlrpc.php. However, in recent years, the file has become more of a problem than a solution.

What is xmlrpc.php in WordPress?

XML-RPC is a feature of WordPress that enables data to be transmitted, with HTTP acting as the transport mechanism and XML as the encoding mechanism. Since WordPress isn’t a self-enclosed system and occasionally needs to communicate with other systems, this was used to handle that job.

Why was xmlrpc.php created and how was it used?

The use of XML-RPC dates back to the early days of WordPress, before it was even called WordPress. Writing and publishing on the internet were much more difficult and time-consuming in the early days of the internet when connections were incredibly slow. At the time, the solution was to create an offline blogging client where you could compose your content before connecting to your blog to publish it. This connection was established using XML-RPC.

XML-RPC nowadays

In 2015, WordPress core introduced a new REST API for interacting with mobile applications and other platforms. Many developers began to use the new REST API instead, which effectively replaced XML-RPC. However, XML-RPC is still enabled in WordPress, and the xmlrpc.php file is still located in the core software directory.

Why you should disable xmlrpc.php

The biggest problem with XML-RPC is the security concern that arises. The issue isn’t with XML-RPC in itself but instead with how the file can be abused to launch cyberattacks on your site.

How to disable xmlrpc.php in WordPress

Let’s go over the two ways to disable xmlrpc.php in WordPress.

1. Disabling xmlrpc.php with a plugin

With a plugin, disabling XML-RPC on your WordPress site is simple. Simply navigate to the Plugins → Add New section from within your WordPress dashboard. Search for Disable XML-RPC-API and install it. Once you activate the plugin, it will automatically apply the necessary code to turn off XML-RPC.

Keep in mind that other existing plugins may utilize parts of XML-RPC, so disabling it completely could cause a plugin conflict or certain elements of your site to no longer function.

2. Disabling xmlrpc.php manually

If you prefer to delete xmlrpc.php manually, follow this method which will stop all incoming xmlrpc.php requests before they get passed onto WordPress.

Access your .htaccess file through your hosting control panel’s File Manager or an FTP client. You may have to turn on the Show hidden files option to make this file visible. Inside your .htaccess file, paste the provided code.

Conclusion

XML-RPC was a solid remote publishing tool for your WordPress site. However, it came with some security holes that ended up being pretty damaging for some WordPress site owners. To ensure your site remains secure, it’s highly recommended to disable xmlrpc.php entirely by using a plugin or manually editing the .htaccess file.

👉
Start your website with Hostinger – get fast, secure hosting here 👈

🔗 Read more from MinimaDesk:

🎁 Download free premium WordPress tools from our Starter Tools page.