How to Disable (or Enable) XMLRPC.PHP in WordPress and Why You Should

[et_pb_section fb_built=”1″ _builder_version=”4.1″][et_pb_row _builder_version=”4.1″][et_pb_column type=”4_4″ _builder_version=”4.1″][et_pb_text _builder_version=”4.1″]

XML-RPC is a Remote Procedure Call (RPC) protocol that uses XML to encode it’s calls. Basically it allows remote updates to your WordPress site from other applications. For example the Windows Live Writer system is capable of posting blogs directly to WordPress by using xmlrpc.php. In the past it was disabled by default, and if you wanted to use it you would need to enable it.

But nowadays, it is enabled by default and even if don’t use it, it can be used as an entry point to your website for hackers and cause other security issues.

In this quick tutorial I will show you how to disable the xmlrpc.php protocol and also show you how to re-enable it if you need it in the future.

[/et_pb_text][et_pb_text admin_label=”What is XMLRPC.PHP ” _builder_version=”4.1″]


[/et_pb_text][et_pb_text _builder_version=”4.1″]The xmlrpc.php allows remote access to your WordPress website. Without it, various publishing tools and applications would not be able to access your website. This means any updates or new posts would need to be made manually, by loging into WordPress and making the changes manually.[/et_pb_text][et_pb_text _builder_version=”4.1″]

Let’s take a look at some Pros and Cons…

By disabling the xmlrpc.php feature you are greatly reducing the risk of an external attack gaining access to your website’s core files. Although the developers of the protocol insist the programming is as secure as the rest of WordPress (which it is) by disabling it you are making it 100% safe.

It’s a little bit like a home with only 1 front door. It’s easy to secure that door, but if you add a second door to the house, no matter how secure it is, it is still a possible entry point to your home, and needs to be locked every night and looked after. Where as if you remove the second door, then you never have to worry about it again.

The one main downside to disabling xmlrpc.php is that you won’t be able to use it anymore. Now keep in mind, that 98% of WordPress uses will never use it. But for the small % who do, then they obviously need to keep it enabled. So if you want to be able to remotely post to your site, say from an app on your phone, or through a tool like IFTTT then you will need to keep it active.

But if (like most of us) you only ever add content to your site by logging in and posting it through the normal WordPress interface, then you have no need or use for xmlrpc.php and it can safely be disabled.

[/et_pb_text][et_pb_text admin_label=”How Do I Know If XMLRPC.PHP is Enabled?” _builder_version=”4.1″]

How Do I Know If XMLRPC.PHP is Enabled?

[/et_pb_text][et_pb_text _builder_version=”4.1″]Well, that’s simple, if your WordPress website was built (or updated) in the last 10 years, then it is enabled. Some older installations that have never been updated may have it disabled by default, but really if that’s you, then you really need to update your site.[/et_pb_text][et_pb_text admin_label=”So should you disable XMLRPC.PHP on your website?” _builder_version=”4.1″]

So should you disable XMLRPC.PHP on your website?

[/et_pb_text][et_pb_text _builder_version=”4.1″]For most people, the answer is Yes, you probably should disable xmlrpc.php as most of us will never use it anyway, so you may as well disable it and make your website that little bit more secure.

But if you plan to use third party apps or content publishers to add content to your website, then you may need to keep it enabled. I say “May” because a lot of the newer content sharing and publishing platforms don’t even use xmlrpc.php anymore, so you will need to check with any tool you want to use to automate your sites content.

Personally I don’t recommend people use any type of automated content tools, as they cause a range of problems trying to get your websites ranked in search engines with duplicate content issues.[/et_pb_text][et_pb_text admin_label=”How To Disable Your XMLRPC.PHP” _builder_version=”4.1″]

How To Disable Your XMLRPC.PHP

[/et_pb_text][et_pb_text _builder_version=”4.1″]

There are two main ways you can disable xmlrpc.php:

  1. You can install a plugin that will disable it for you
  2. Or you can manually disable it through your websites .htaccess file 

I will show you how to do both and you can choose whichever method suits you:

[/et_pb_text][et_pb_text admin_label=”Disabling XMLRPC.PHP Manually through .htaccess ” _builder_version=”4.1″]

Disabling XMLRPC.PHP Manually through .htaccess

[/et_pb_text][et_pb_text _builder_version=”4.1″]

It’s a fairly simple process to disable through your .htaccess file, and many people choose this method because they don’t like to install too many plugins which may slow down your websites response times.

In order to disable the protocol you will just need to edit, save and upload your .htaccess file with the following code:

[/et_pb_text][et_pb_text admin_label=”Code” _builder_version=”4.1″ text_line_height=”1.4em” background_color=”#f9f9f9″ border_width_all=”1px”]

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from

[/et_pb_text][et_pb_text _builder_version=”4.1″]To do that, you will first need to find and download your xmlrpc.php file. Which you can do by either using an FTP Client and navigating to your Root Folder, or by using your hosts File Manager to locate the file.

Once you have navigated to your Root Folder, if you can’t see .htaccess you may need to enable the option to be able to see hidden files in your Control Panel’s settings.

When you can see the file, you should be able to click on it and download it, then open it up in a TXT editor.

Once you have it, then you can open the file and copy and paste the code below at the bottom of your .htaccess file.[/et_pb_text][et_pb_text admin_label=”Code” _builder_version=”4.1″ text_line_height=”1.4em” background_color=”#f9f9f9″ border_width_all=”1px”]

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from

[/et_pb_text][et_pb_text _builder_version=”4.1″]Then simply save the file, and re-upload it to your server making sure to Overwrite the original file. (You may want to keep a backup of the original if you are not comfortable doing this)[/et_pb_text][et_pb_text _builder_version=”4.1″]

Disabling XMLRPC Through Plugins

[/et_pb_text][et_pb_text _builder_version=”4.1″]

There are also a few plugins that you can use to disable xmlrpc.php, so if you don’t feel comfortable editing your htaccess file, you might like to try one of these options:

[/et_pb_text][et_pb_text _builder_version=”4.1″]


[/et_pb_text][et_pb_text _builder_version=”4.1″]

Manage XML-RPC is a great lightweight plugin that you can use. All you need to do is grab it from the WordPress Plugin Repository, install and active it in your WordPress admin dashboard.

[/et_pb_text][et_pb_image src=”” _builder_version=”4.1″][/et_pb_image][et_pb_text _builder_version=”4.1″]

You can also install it right from inside the Plugins Menu on your WordPress Dashboard.

Just go to Plugins > Add New 

Then search for Manage XML-RPC and you should see this:

[/et_pb_text][et_pb_image src=”” _builder_version=”4.1″][/et_pb_image][et_pb_text _builder_version=”4.1″]

Click Install. Then click Activate, and you should see a new Menu item called XML-RPC Settings.

[/et_pb_text][et_pb_image src=”” _builder_version=”4.1″][/et_pb_image][et_pb_text _builder_version=”4.1″]

Simply check the box where it says: Disable XML-RPC and then Save Changes.

Doing it this way makes it super easy to turn it back on if at any time in the future you change your mind and want to use some sort of remote access tool. You can simply uncheck the box to turn it back on.

Additional Options: 

Manage WML-RPC also gives you the ability to disable pingbacks which is also a good idea. You can also enable or disable access for certain users based on their IP address if you want to restrict access that way.

[/et_pb_text][et_pb_divider _builder_version=”4.1″][/et_pb_divider][et_pb_text _builder_version=”4.1″]

Frequently Asked Questions

[/et_pb_text][et_pb_df_faq display_title=”on” filter_by_category_on=”on” _builder_version=”4.1″ hover_enabled=”0″ include_categories=”62″][/et_pb_df_faq][/et_pb_column][/et_pb_row][/et_pb_section]

Leave a Comment

Your email address will not be published. Required fields are marked *