How to Disable XML-RPC in WordPress

For security reasons, XML-RPC has been disabled by default for a long time. But in WordPress 3.5 and later versions, XML-RPC is set to be enabled by default and there is no place in the background to turn off this function. In this article, we’ll explain how to disable XML-RPC in WordPress and discuss in more depth why it’s enabled by default.

What is XML-RPC?

Baidu Encyclopedia’s explanation is that the full name of XML-RPC is XML Remote Procedure Call, that is, XML (a subset of the standard generalized markup language) remote procedure call. It is a set of specifications and a series of implementations that allow programs running in different operating systems and environments to implement Internet-based procedure calls. This remote procedure call uses HTTP as the transmission protocol and XML as the encoding format for transmitting the information. The definition of Xml-Rpc is kept as simple as possible, but at the same time, it can transmit, process, and return complex data structures.

In a nutshell, it’s a system that lets you post blog posts to your WordPress site using popular blogging clients such as Windows Live Writer. This feature is also a must when you use the WordPress mobile app, or when you want to connect with services like IFTTT.

If you want to access and publish articles remotely, you need to enable XML-RPC.

Previously, XML-RPC was disabled by default due to security concerns. But things are completely different now, the code quality of WordPress has improved a lot, and thanks to a lot of work by the development team, it is no longer discriminated against when it comes to API development. Security is less of an issue compared to other cores.

There is no longer any reason for it to be disabled by default anymore, it’s time to remove this option.

With the increasing use of mobile devices, this change is imminent. However, some people who are cautious about security issues may say that although the security of XML-RPC is not a big problem if a vulnerability is found, it can still be a point of attack, so it is better to set it to Disabled.

The UI and database options to disable XML-RPC have been removed to satisfy everyone, but you can use the filters provided by WordPress to disable it if necessary.

How to disable XML-RPC?

Just paste the code below into your theme’s functions.php file:

Alternatively, you can also install a plugin called Disable XML-RPC, just enable the plugin, which has the same function as the line of code above.

How to disable WordPress XML-RPC via the .htaccess file?

While the above solution is sufficient for many people, it can still be resource-intensive for a site under attack. For these cases, you may want to block all requests from xmlrpc.php through the .htaccess file, even if the request does not reach WordPress.

Just copy the code below into your .htaccess file.

Because this site does not use any mobile app or remote connection to publish articles, we have disabled XML-RPC by default. What is your opinion on this issue?