If you’re not using XML-RPC, you should disable it from your site to prevent bots/hackers from hacking your site or slowing down your site with repeat XML-RPC attacks. Usually, the biggest problem with XML-RPC attacks is not that they get in but that they bog down your server with so many blocked requests.

  • XML-RPC is used to commonly used to connect to your site and blog from an a mobile app or remote publishing service. If you never publish to your site from anywhere but directly in WordPress admin itself, you are fine to disable it!
  • You can easily block all xmlrpc.php requests using .htaccess to prevent them from even getting passed into WordPress. Don’t bother using a security plugin for this, they’re either slower to process the block or they essentially do the same by adding this same bit of code to your htaccess.

Apache/LiteSpeed servers can paste the following code in your .htaccess file (preferably at the very top):

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from

Quick note…if you need to leave it on for certain IP, you can whitelist your IP and also Jetpack IP’s (if you use it).

Nginx servers can paste the following code into the functions.php (submitted by Regev):

// Disables XML-RPC
add_filter( ‘xmlrpc_enabled’, ‘__return_false’ );

function disable_x_pingback( $headers ) {
unset( $headers[‘X-Pingback’] );

return $headers;
add_filter( ‘wp_headers’, ‘disable_x_pingback’ );

add_filter( ‘xmlrpc_methods’, function( $methods ) {

unset( $methods[‘pingback.ping’] );

return $methods;

} );

Reference link to learn more about XML-RPC:

Latest Guides