What Is XML-RPC in WordPress?
XML-RPC is a core WordPress API that has been enabled by default since WordPress 3.5 was released in 2012. It allows developers to use XML and HTTPS protocols to connect to and interact with your WordPress website. In short, you need XML-RPC enabled to access and publish your blog remotely, such as when you want to use a mobile app to manage your site or make connections to automation services.
However, if you’re not using mobile apps with your website, then it is advisable to disable XML-RPC as this closes a door that may potentially be exploited to hack your website. In this article, we are going to walk you through 3 methods to accomplish this.
Method 1: Disable WordPress XML-RPC With .htaccess (Advanced)
This method is for advanced users because it requires you to edit your site’s .htaccess file. This way has several advantages, such as the ability to give remote access to yourself and your team while restricting everyone else. It also won’t negatively affect your WordPress performance since it disables
XML-RPC requests before they are passed on to WordPress.
You will need to add the following code to your .htaccess file. You can do this by connecting to your site using an FTP client or file manager. Also, All in One SEO users can use the plugin’s built-in editor tool to add the code snippet, as you can see in the screenshot below.
|
1
2
3
4
5
6
|
# Block WordPress xmlrpc.php requests<Files xmlrpc.php>order deny,allow deny from allallow from 123.123.123.123</Files> |
If you wish to give a certain user remote access to your site, then simply replace ‘123.123.123.123’ on line 5 with their IP address. You can add multiple IP addresses by separating them with spaces. Or, if you want to disable XML-RPC completely, then delete line 5 altogether.
Method 2: Disable WordPress XML-RPC With a Code Snippet (Recommended)
This method requires you to add some code to your WordPress website. WPCode is the easiest and safest way to add code to your WordPress site. It helps you to manage your code snippets and prevents any errors from breaking your site. In this method, we will use one of WPCode’s built-in code snippets to disable XML-RPC.
- First, you need to install the free WPCode plugin.
- Upon activation, head over to Code Snippets » Add Snippet. The WPCode library already contains a snippet that disables XML-RPC. You can find it by searching for ‘xml.’
- Once you find it, you need to click the ‘Use snippet’ button.
- Next, you need to switch the ‘Active’ toggle to the ‘On’ position.
- Finally, make sure you click the ‘Update’ button to enable the snippet on your site and disable XML-RPC API.
Method 3: Disable WordPress XML-RPC With a Plugin
This is a simple method that can be used if you don’t want to add any other customizations to your website with a code snippet plugin
Simply install and activate the Disable XML-RPC-API plugin.
The plugin works out of the box and will immediately deactivate XML-RPC.
You can navigate to XML-RPC Security » XML-RPC Settings to configure the plugin. For example, you can allow certain users to access XML-RPC by whitelisting their IP addresses.
Testing That WordPress XML-RPC Is Disabled
Now you should check to make sure you successfully disabled the XML-RPC API on your WordPress website.
You can check that XML-RPC is disabled by simply visiting the URL http://example.com/xmlrpc.php in your browser. Make sure you replace ‘example.com’ with your own website’s domain name. If XML-RPC is disabled, you should see the error message: ‘Forbidden: You don’t have permission to access this resource.’