WPTurbo - Ship WordPress websites faster using AI | Product Hunt

How to Disable XML-RPC in WordPress (Secure Method)

Home » Blog » WordPress Development » How to Disable XML-RPC in WordPress (Secure Method)

XML-RPC is a WordPress service/api that allows you to connect your website to third-party applications such as the WordPress mobile app. This service allows third-party apps to publish posts to your WordPress website.

If you want to write and publish posts to your website from a third-party app, you need this service. This service is also used by automation tools such as IFTTT and Zapier.

If you want to disable XML-RPC, here are a few easy, secure ways to do it:

Option 1: Disable XML-RPC Using a Simple PHP Script

WordPress offers hooks and filters to give lower-level access to WordPress developers. These hooks and filters enable you to customize all aspects of WordPress.

One such filter is called ‘xmlrpc_enabled’. We can use this filter to disable XML-RPC.

Add this script to your theme’s functions.php file or create a plugin with this code in it: 

add_filter('xmlrpc_enabled', '__return_false');

The above line of code simply returns false for the filter ‘xmlrpc_enabled’. This will disable the XML RPC feature.

Use our plugin header generator to generate a plugin file. Then paste this code under the generated code.

Option 2: Disable XML-RPC Using Your .htaccess File

If you don’t want to use the above PHP script, you can disable XML-RPC using your website’s .htaccess file.

All you have to do is paste this code at the end of your .htaccess file: 

# Block all requests to xmlrpc.php file
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

The above code will block all requests made to the xmlrpc.php file. This is the file that is responsible for the XML-RPC service.

The above PHP script will disable the XML-RPC service whenever it is called. This code will block all requests for XML-RPC. This method is more memory-efficient as it doesn’t run any PHP code at all.

Option 3: Use a Plugin

If you don’t want to use any of the above methods, you can install and activate the Disable XML-RPC plugin. It’s a simple plugin that does what it’s name suggests.

There’s nothing much to this plugin. It uses the same PHP script from option 1:

Right at the bottom you can see that this plugin is just one line of code…

How To Test If XML-RPC Is Disabled

If you want to check if any of the above methods worked for you, you can just install the WordPress app on your mobile phone.

All you have to do is try to log into your WordPress site.

Install the app, and select the second option:

Now, enter your website’s URL:

Now, enter your login credentials:

You’ll see an error if your WordPress site’s XML-RPC service has been disabled successfully.

Leave a Reply

Your email address will not be published. Required fields are marked *

Register an account to save your snippets or go Pro to get more features.

Create Free Account →

or Explore Pro Features