What is XML-RPC and should I disable it?
What is XML-RPC?
XML-RPC stands for XML Remote Procedure Call. They are requests sent over the web using the XML (eXtensible Markup Language) format to communicate commands to an application on the Internet.
How is it used with WordPress?
WordPress natively accepts XML-RPC requests. These requests must be authenticated, of course (meaning, they require an appropriate login that has permissions to take the action being requested). This is more commonly used by the native WordPress phone application or other third-party integrations.
How does this pose a security risk?
Since these requests need to be authenticated, XML-RPC can be used as a method of brute force attack (repeatedly trying username/password combinations) possibly exposing usernames or passwords to site attackers.
Wait, do I need XML-RPC?
99% of our customer base does not need XML-RPC enabled. If you’re not using any third-party applications or the native WordPress phone app, you’re probably fine to disable it. We highly recommend disabling it as part of locking your site down from potential attacks.
How do I disable XML-RPC in WordPress?
There are a few methods you can use to disable WordPress’ XML-RPC functionality:
- Add PHP code to block XML-RPC in your
functions.phpfile or a Must Use plugin - Utilize the
.htaccessfile on your hosting (if available/enabled) to block and whitelist IP addresses - Use a plugin to turn off XML-RPC in WordPress
Add PHP Code to Block XML-RPC
You can add the example PHP code below to your functions.php file to turn off the XML-RPC functionality:
Editing Your .htaccess File to Restrict by IP Address
Another option is to choose to use the .htaccess file (if supported by your hosting account) to deny all users from accessing the xmlrpc.php file in WordPress. The nice part about this option is you can whitelist specific IP addresses to enable access to certain applications/users. Example code below:
Using a Plugin
There are a handful of plugins in the public WordPress.org plugin repository that allow you to disable XML-RPC, a few are listed below:
Want us to do this for you?
Sign up today and we’ll disable XML-RPC as part of your on-boarding process!
