What Is Xmlrpc.Php in WordPress? Should You Disable It?

To XML-RPC, or not to XML-RPC: that is the question. At least for those who have an affinity with remote control in WordPress. Indeed, Extensible Markup Language Remote Procedure Call (widely known and abbreviated as XML-RPC) is a protocol specified as a communication facilitator. It was first created as an ensemble of codes enabling data transmission across a network comprised of diverse operating systems. No one can deny how useful it was during its first years of service. But as time went by, the underlying technology has inexorably evolved, and nowadays, xmlrpc.php files have become a burden. More precisely, they fragilize websites, making them more prone to attacks and other security issues.

Let’s use this article to remember why the XML-RPC protocol was created in the first place. We also ought to explain why you don’t need it anymore and how to disable it.

A Little Retrospective of XML-RPC.PHP

The XML-RPC protocol was created in 1998 from the collaboration of Dave Winer of UserLand Software and Microsoft. At the time, the real big deal was the ongoing design of SOAP (Simple Object Access Protocol). There were some setbacks that apparently made Winer come up with something more manageable, namely XML-RPC. A prototype of SOAP, if you will. But why was there a need for a simpler system? Back then, internet connection was sluggish, rendering even the most basic processes overcomplicated. People were naturally reluctant to use browsers and would rather write entire portions of their content offline. Then they would copy and paste it onto the web. All in all, they were trying to save the day within a technically restricted context. WordPress was still in gestation but a modernized conception of content management systems was already in place.

That being said, what users did get with the new protocol was quite aligned with their established habits. It was almost just an improvement of their previous offline blogging experience through a client relying on specifically adjusted software. Later on, the emergence of WordPress XML-RPC has sort of confirmed the tendency.  

How to Know If XML-RPC Is Running on Your WordPress Site

Version 2.6 of WordPress had the advantage to enable and disable XML-RPC at your convenience. Then it became enabled by default. So anyone installing WordPress can be sure to get xmlrpc.php automatically. Are you looking for confirmation, regardless? XML-RPC validation services seem to be currently down. Remember our introductory lines when we said that the protocol is no longer a priority. Ok, but how else can you check whether it’s enabled? The answer is the PHP URL, meaning that you should copy your own blog URL on your browser. See if you are getting a PHP POST request notification. If you see the following information: ‘XML-RPC server accepts POST requests only’, you will know that the protocol is enabled.  

The rationale for Disabling XML-RPC.PHP

You may want to disable XML-RPC for several reasons. First of all, you may be agreeing about the fact that the feature is getting somewhat tired nowadays. In effect, it’s not really a requirement anymore for your communications outside of WordPress. The current technology offers more practical alternatives. And what’s more, xmlrpc.php can be the source of serious security problems. Hackers and other intruders are well acquainted with various RPC attack types. They know how to manipulate the protocol in order to turn it into an infiltration pathway.

In that regard, there are two noticeable threats users should be aware of. The first one is a classic in cryptography and is known as a brute-force attack. It happens when an attacker adopts a trial-and-error mode by submitting several username and password combinations to access your site. The tricky part is that those forcible entries can remain undetectable since attackers may be hiding their attempts under a single command. So your security measures are likely to be ineffective in such cases. The other big risk is DDoS (distributed denial-of-service) attacks. This kind of sabotage targets a specific server or network and aims at obstructing its normal traffic. What the attackers do is send pingbacks to multiple sites at once with the intention to make them crash. WordPress is all the more advantageous for them, considering the great number of IP addresses that xmlrpc.php delivers.

If you want to avoid the aforementioned scenarios, disabling XML-RPC in WordPress is a logical precaution. Moreover, we have entered the WordPress API era. It’s comparable to a brand new ecosystem that makes XML-RPC already obsolete. It promises a direct coding system that won’t require any PHP open file manipulations or other similar tweaks.


Option 1: Disable Xmlrpc.php with a Plugin

This is probably the most intuitive and viable way. Just one note of caution though: Check your other plugins before any complete deactivation. Indeed, some of them may be using elements of XML-RPC. Disabling it altogether could thus interfere with the proper functioning of such plugins and even block them. To prevent that, you may opt for a partial deactivation. Let’s suppose that you just want to shield your site against the types of attacks that we mentioned previously. You could use specific plugins like Loginizer or Remove & Disable XML-RPC Pingback. This would be a less restrictive strategy and still grant the other plugins access to the xmlrpc.php file. 

Now let’s get back to the typical deactivation method and see what to do:

Go to the Plugins section the WordPress dashboard

Add New Plugin

Log in to your WordPress site and go directly to your dashboard. Select ‘Plugins’ and then ‘Add New’.

Install the Disable XML-RPC plugin

Disable XML-RPC

Disable XML-RPC is the most recommended plugin for deactivation. Search for it. Once you’ve found it, select ‘Install Now’.

Activate the Disable XML-RPC plugin

Activate WordPress Plugin

Once the installation is completed, select ‘Activate’. The plugin will automatically insert the code that allows you to switch off XML-RPC. 

Option 2: Disable Xmlrpc.php Manually

You may also control the deactivating process manually. We are saying control on purpose because there are some particular actions to execute. 

The xmlrpc_enabled filter is often the first solution coming to mind. That’s the one supposed to be added at the end of the wp-config.php file. Let’s remember what it looks like:

add_filter(  ‘xmlrpc_enabled’,   ‘__return_false’   ) ;

The thing is, this method is not effective if your objective is to turn off XML-RPC completely. Despite the latest system updates, it still seems to work only for cases that require authentication. So what else could you do to obtain a full deactivation and counteract xmlrpc.php security issues?

One of the reliable ways is to use the .htaccess file. Open it. In case you don’t see it, make sure to turn on the ‘show hidden files’ option in the file manager. You may also connect to it via the FTP client. Then add the following code:

# Block WordPress xmlrpc.php requests

<Files xmlrpc.php>

order deny,allow

deny from all

allow from xxx.xxx.xxx.xxx


Note that the ‘allow from xxx.xxx.xxx.xxx’ line is optional. You need it only if there is a specific IP address you wish to grant access to xmlrpc.php. If so, just replace the xxx parts with the IP address. Otherwise, remove this line

Here’s an additional way for those of you who are on an Nginx server. You can ask your hosting provider to insert the following code:

# nginx block xmlrpc.php requests

location ~* ^/xmlrpc.php$   {

return 403 ;}

XML-RPC at a Glance

We all know that xmlrpc.php files and the XML-RPC protocol have been of great support in the past. They were already here long before WordPress itself was launched. Without them, it would have been difficult to communicate with external systems or blog offline. But times have changed and we need more efficient precautions against security flaws. Disabling XML-RPC is nowadays one of the best options to keep your site safe and functional. Be also ready for the full transition into REST API. That’s how you can hope to maintain an up-to-date and efficient WordPress site.

Frequently Asked Questions About

It’s not that simple. Despite its downsides, the protocol is still an integral part of the system. Plus, even if you delete it, it will come back with the very next WordPress update. So it would be a pretty much useless attempt.

Yes. The PHP comment options haven’t changed much. Here’s a quite comprehensive resource that you may use (see the ‘Comments’ section on the right menu): https://developer.wordpress.com/docs/api/1.1/get/sites/%24site/comments/%24comment_ID/

Yes. If for some reason you haven’t managed to update WordPress to version 4.4. and beyond, then you may need XML-RPC. As long as you keep working within any environment incompatible with the REST API, the older protocol remains usable. 

A PHP log is a diagnostic tool with a scope that goes beyond the XML-RPC protocol. In other words, error logs can help identify a wide range of problems related to hosting services.

Fatih Karadeniz
Hi my name is Fatih Karadeniz. I graduated from English Language and Literature Department and I have developed an interest in researching and writing about SEO and Digital Marketing related topics.
1 Comments on What Is Xmlrpc.Php in WordPress? Should You Disable It?

Your email address will not be published. Required fields are marked *

(Total: 49 Average: 5 )

1 Comment

  1. Eliot Molina
    Eliot Molina

    XMLRPC PHP is an important part of WordPress that allows for remote access and communication with the WordPress platform. It’s a useful tool, but can be a security risk if not properly managed. I suggest everyone to take extra steps to secure it.