How to Enable and Disable XML-RPC.PHP in WordPress
In the earlier, XML-RPC was disabled in WordPress for security purpose and there was an option to turn it on. After WordPress version 3.5, XML-RPC is enabled by default and developers also removed the option from WordPress admin dashboard. Where XML-RPC function is used for many purposes but it can be the cause of brute-force attack on your site. Some people want to keep it enabled and some people want to disable XML-RPC in WordPress.
In this article, we will write what is XML-RPC.PHP and how to disable XML-RPC in WordPress.
What is XML-RPC?
XML-RPC on WordPress is an API (Application Program Interface) which allows users to access remotely to your WordPress site using an application. For example, you can publish a post through an open source blogging application like Open Live Writer. You can also connect your WordPress mobile apps to your WordPress site. It’s a great way to manage your site if you are out of your computer. For this function, you need to enable XML RPC in your WordPress site. If you are using the latest version of WordPress, you don’t need to enable XML-RPC function because by default it’s already enabled.
However, in some cases, it can be a security issue and hackers can easily do DDoS or brute force attack on your site using XML-RPC file. As I already mentioned, after WordPress version 3.5, you will have no option to disable XML RPC on your WordPress site. In this case, you need to manually disable this function. It can be done by adding some codes in your .htaccess file or using a plugin. In this article, we will show exact steps how to easily disable XML-RPC.PHP in WordPress.
Should You Enable or Disable XML-RPC.PHP on Your Site?
XML-RPC has both advantage and disadvantages. Using XML RPC function, some applications can remote access your WordPress site. You can work on your site through the mobile application. By disabling it, you are eliminating the function of remote access for accessing your WordPress site and few plugins can stop working if they use your site’s API.
On the other side, by disabling XML-RPC.PHP, you are hardening your WordPress security. Attackers will not be able to find your site’s XML-RPC file and you can prevent such external attacks like brute-force or DDoS attacks.
It totally depends on you now. If you use open live writer for publishing content on your site or manage your site using mobile application, then you can enable this function or it’s better to disable it.
We don’t use any mobile app or Open Live Writer for publishing content on our site, so we disabled XML-RPC file request.
Disable WordPress XML-RPC.PHP Using .htaccess
Before you restrict access to XML-RPC file, you should know that by doing so will restrict external websites or applications from accessing your website.
In WordPress, you can easily disable xmlrpc.php by adding few codes in your .htaccess file. First, log in to your hosting cPanel and simply paste the following code in your .htaccess file:
# Block WordPress xmlrpc.php requests <Files xmlrpc.php> order deny,allow deny from all </Files>
This will block WordPress XML-RPC request. If you use an application like Open Live Writer for publishing content on your WordPress site, you can allow your IP address so that XML-RPC request will be assessable only from your IP. To do this, enter the following code before </Files>.
# Block WordPress xmlrpc.php requests <Files xmlrpc.php> order deny,allow deny from all allow from 10.123.456.000 </Files>
You need to replace 10.123.456.000 with your static IP address. If you are not sure what is your IP, just type on Google “What is My IP” and you will get your IP address.
After this, save the .htaccess file and you are done.
Disable XML-RPC Using Plugin
In an alternate way, you can use a plugin instead of adding codes in your .htacces file. You just need to install and activate Disable XML-RPC plugin and you are good to go.
This plugin doesn’t have any settings. Once activated, the plugin will start its work. In case you want to re-enable XML-RPC function, simply ninstall the plugin
How to Check if XML-RPC is Disabled in WordPress
After disabling XML-RPC in WordPress, you may want to check whether it is disabled or not. To check it, go to XML-RPC Validation and enter your site URL and click on the check button. This tool will show you if your XML-RPC is disabled.
I hope this tutorial helped you to understand what is XML-RPC in WordPress, How it works and how to disable XML-RPC.PHP in WordPress. If you like this tutorial, do share it with your friends.