How to Disable (or Enable) XMLRPC.PHP in WordPress and Why You Should

XML-RPC is a Remote Procedure Call (RPC) protocol that uses XML to encode it’s calls. Basically it allows remote updates to your WordPress site from other applications. For example the Windows Live Writer system is capable of posting blogs directly to WordPress by using xmlrpc.php. In the past it was disabled by default, and if you wanted to use it you would need to enable it.

But nowadays, it is enabled by default and even if don’t use it, it can be used as an entry point to your website for hackers and cause other security issues.

In this quick tutorial I will show you how to disable the xmlrpc.php protocol and also show you how to re-enable it if you need it in the future.

What is XMLRPC.PHP

Let’s take a look at some Pros and Cons…

Pros:
By disabling the xmlrpc.php feature you are greatly reducing the risk of an external attack gaining access to your website’s core files. Although the developers of the protocol insist the programming is as secure as the rest of WordPress (which it is) by disabling it you are making it 100% safe.

It’s a little bit like a home with only 1 front door. It’s easy to secure that door, but if you add a second door to the house, no matter how secure it is, it is still a possible entry point to your home, and needs to be locked every night and looked after. Where as if you remove the second door, then you never have to worry about it again.

Cons:
The one main downside to disabling xmlrpc.php is that you won’t be able to use it anymore. Now keep in mind, that 98% of WordPress uses will never use it. But for the small % who do, then they obviously need to keep it enabled. So if you want to be able to remotely post to your site, say from an app on your phone, or through a tool like IFTTT then you will need to keep it active.

But if (like most of us) you only ever add content to your site by logging in and posting it through the normal WordPress interface, then you have no need or use for xmlrpc.php and it can safely be disabled.

How Do I Know If XMLRPC.PHP is Enabled?

Well, that’s simple, if your WordPress website was built (or updated) in the last 10 years, then it is enabled. Some older installations that have never been updated may have it disabled by default, but really if that’s you, then you really need to update your site.

So should you disable XMLRPC.PHP on your website?

For most people, the answer is Yes, you probably should disable xmlrpc.php as most of us will never use it anyway, so you may as well disable it and make your website that little bit more secure.

But if you plan to use third party apps or content publishers to add content to your website, then you may need to keep it enabled. I say “May” because a lot of the newer content sharing and publishing platforms don’t even use xmlrpc.php anymore, so you will need to check with any tool you want to use to automate your sites content.

Personally I don’t recommend people use any type of automated content tools, as they cause a range of problems trying to get your websites ranked in search engines with duplicate content issues.

How To Disable Your XMLRPC.PHP

There are two main ways you can disable xmlrpc.php:

  1. You can install a plugin that will disable it for you
  2. Or you can manually disable it through your websites .htaccess file

I will show you how to do both and you can choose whichever method suits you:

Disabling XMLRPC.PHP Manually through .htaccess

It’s a fairly simple process to disable through your .htaccess file, and many people choose this method because they don’t like to install too many plugins which may slow down your websites response times.

In order to disable the protocol you will just need to edit, save and upload your .htaccess file with the following code:

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from 123.123.123.123
</Files>

To do that, you will first need to find and download your xmlrpc.php file. Which you can do by either using an FTP Client and navigating to your Root Folder, or by using your hosts File Manager to locate the file.

Once you have navigated to your Root Folder, if you can’t see .htaccess you may need to enable the option to be able to see hidden files in your Control Panel’s settings.

When you can see the file, you should be able to click on it and download it, then open it up in a TXT editor.

Once you have it, then you can open the file and copy and paste the code below at the bottom of your .htaccess file.

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from 123.123.123.123
</Files>

Then simply save the file, and re-upload it to your server making sure to Overwrite the original file. (You may want to keep a backup of the original if you are not comfortable doing this)

Disabling XMLRPC Through Plugins

There are also a few plugins that you can use to disable xmlrpc.php, so if you don’t feel comfortable editing your htaccess file, you might like to try one of these options:

PLUGIN: Manage XML-RPC

Manage XML-RPC is a great lightweight plugin that you can use. All you need to do is grab it from the WordPress Plugin Repository, install and active it in your WordPress admin dashboard.

You can also install it right from inside the Plugins Menu on your WordPress Dashboard.

Just go to Plugins > Add New

Then search for Manage XML-RPC and you should see this:

Click Install. Then click Activate, and you should see a new Menu item called XML-RPC Settings.

Simply check the box where it says: Disable XML-RPC and then Save Changes.

Doing it this way makes it super easy to turn it back on if at any time in the future you change your mind and want to use some sort of remote access tool. You can simply uncheck the box to turn it back on.

Additional Options: 

Manage WML-RPC also gives you the ability to disable pingbacks which is also a good idea. You can also enable or disable access for certain users based on their IP address if you want to restrict access that way.

Leave a Comment

Your email address will not be published.

Pin It on Pinterest

Scroll to Top