How to Enable and Disable XML-RPC.PHP in WordPress

In the earlier, XML-RPC was disabled in WordPress for security purpose and there was an option to turn it on. After WordPress version 3.5, XML-RPC is enabled by default and developers also removed the option from WordPress admin dashboard. Where XML-RPC function is used for many purposes but it can be the cause of brute-force attack on your site. Some people want to keep it enabled and some people want to disable XML-RPC in WordPress.

In this article, we will write what is XML-RPC.PHP and how to disable XML-RPC in WordPress.

 

What is XML-RPC?

XML-RPC on WordPress is an API (Application Program Interface) which allows users to access remotely to your WordPress site using an application. For example, you can publish a post through an open source blogging application like Open Live Writer. You can also connect your WordPress mobile apps to your WordPress site. It’s a great way to manage your site if you are out of your computer. For this function, you need to enable XML RPC in your WordPress site. If you are using the latest version of WordPress, you don’t need to enable XML-RPC function because by default it’s already enabled.

However, in some cases, it can be a security issue and hackers can easily do DDoS or brute force attack on your site using XML-RPC file. As I already mentioned, after WordPress version 3.5, you will have no option to disable XML RPC on your WordPress site. In this case, you need to manually disable this function. It can be done by adding some codes in your .htaccess file or using a plugin. In this article, we will show exact steps how to easily disable XML-RPC.PHP in WordPress.

 

Should You Enable or Disable XML-RPC.PHP on Your Site?

XML-RPC has both advantage and disadvantages. Using XML RPC function, some applications can remote access your WordPress site. You can work on your site through the mobile application. By disabling it, you are eliminating the function of remote access for accessing your WordPress site and few plugins can stop working if they use your site’s API.

On the other side, by disabling XML-RPC.PHP, you are hardening your WordPress security.  Attackers will not be able to find your site’s XML-RPC file and you can prevent such external attacks like brute-force or DDoS attacks.

It totally depends on you now. If you use open live writer for publishing content on your site or manage your site using mobile application, then you can enable this function or it’s better to disable it.

We don’t use any mobile app or Open Live Writer for publishing content on our site, so we disabled XML-RPC file request.

 

Disable WordPress XML-RPC.PHP Using .htaccess

Before you restrict access to XML-RPC file, you should know that by doing so will restrict external websites or applications from accessing your website.

In WordPress, you can easily disable xmlrpc.php by adding few codes in your .htaccess file. First, log in to your hosting cPanel and simply paste the following code in your .htaccess file:

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

This will block WordPress xmlrpc request. If you use an application like Open Live Writer for publishing content on your WordPress site, you can allow your IP address so that xml-rpc request will be assessable only from your IP. To do this, enter the following code before </Files>.

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from 10.123.456.000
</Files>

You need to replace 10.123.456.000 with your static IP address. If you are not sure what is your IP, just type on Google “What is My IP” and you will get your IP address.

After this, save the .htaccess file and you are done.

 

Disable XML-RPC Using Plugin

In an alternate way, you can use a plugin instead of adding codes in your .htacces file. You just need to install and activate Manage XML-RPC plugin and go to XML-RPC Settings from your WordPress admin dashboard.

Disable XML-RPC Settings

There you will see few options, the first option will disable XML-RPC Pingback and the second option will disable XML-RPC request. In case you want to enable or disable XML-RPC for any IPs, you need to enter in the field. Then click on Save Changes and you are done.

 

How to Check if XML-RPC is Disabled in WordPress

After disabling XML-RPC in WordPress, you may want to check whether it is disabled or not. To check it, go to XML-RPC Validation and enter your site URL and click on the check button. This tool will show you if your XML-RPC is disabled.

I hope this tutorial helped you to understand what is XML-RPC in WordPress, How it works and how to disable XML-RPC.PHP in WordPress. If you like this tutorial, do share it with your friends.

Jyoti Prakash Ray
 

Jyoti Ray is the founder of WPMyWeb.com. He writes about Blogging, WordPress tutorials, Hosting, Affiliate marketing etc. He mostly spends times on blogging, reading books and cooking.

Leave a Reply

avatar
  Subscribe  
Notify of

Send this to a friend