What is Xmlrpc.php in WordPress? And why should you disable it?

  1. Home
  2. Knowledge Base
  3. What is Xmlrpc.php in WordPress? And why should you disable it?

What is Xmlrpc.php in WordPress? And why should you disable it?

WordPress has long offered features that allow you to engage with your site from afar. So for this reason, to access the site remotely, there was used file xmlrpc.php. It was the solution for a long time. However, the file has become more annoying than helpful in recent years.

We’ll look at what xmlrpc.php is and why it should be disabled in your WordPress website. We also go through the most frequent security concerns it creates and how to fix them on your WordPress website.

What is Xmlrpc.php? 

XML-RPC is a WordPress feature that allows data to be sent using the HTTP protocol as a transport and XML as an encoding technique. WordPress isn’t a self-enclosed system and there might be cases that need to communicate with other systems, so that’s why there was used xmlrpc.php file. 

For example, you don’t have your computer nearby and you need to post something on your WordPress website from your mobile device. For this purpose, you could do that remotely with xmlrpc.php file. This file allowed a remote access capability to gain remote access to your website. The XML-RPC capability is deactivated by default in the newest version of WordPress. This functionality was, however, enabled by default in prior version 3.5. The primary purpose of enabling this function in WordPress is to allow your WordPress mobile app to connect with your WordPress website.

Why should Xmlrpc.php be disabled?

The primary reason for disabling xmlrpc.php on your WordPress site is that it exposes security vulnerabilities and might be a target for attacks. There’s no reason to keep XML-RPC running since it’s no longer required to communicate outside of WordPress. As a result, it’s a good idea to disable it to make your site safer.

There are two main weaknesses of the XML-RPC feature in WordPress:

1. DDoS attacks (Pinbacks)

Pingbacks and trackbacks were one of the features enabled by xmlrpc.php. When another blog or website connects to your content, these notices display in the comments section of your site.

The XML-RPC specification enabled this connection, however the REST API has since taken its place. 

If your site uses XML-RPC, a hacker may use xmlrpc.php to launch a DDoS assault by sending a large number of pingbacks to your site in a short period of time. So this might cause your server to get overloaded and your website might be inaccessible

2. Bute Force attacks

The xmlrpc.php file generates a request to authenticate the User name and password each time it is run, whereas other APIs do not. In reality, the other APIs give a token for authentication instead of a username and password. Since the xmlrpc.php makes an authentication request every time, hackers can exploit this information to get access to your website. Because a brute force assault may be used to insert, delete, and edit website code, as well as create database harm.

If a hacker makes enough requests for different usernames and password pairings, there’s a good chance they’ll find the perfect one and get access to your WordPress site.

1. Disable with WordPress plugin

1. Login to your WordPress admin page and navigate to Plugins –> Add New. 

2. Then, in the search area, enter Disable XML-RPC. 

3. Click on Install button and activate that plugin on your site. 

This plugin will automatically insert the code to turn off XML-RPC.

However, using this plugin might affect other your used plugins. So by disabling XML-RPC, it could cause a plugin conflict or some part of your site might not work as it should work. 

So WordPress offers other plugins that might turn only some elements of XML-RPC, for example:

  • Control XML-RPC Publishing
  • Stop XML-RPC Attack

2. Disable manually

If you do not want to use a plugin, you can xmlrpc.php manually on your website. 

  1. Open your website .htaccess file. If you cannot find it or there is no such file, you can check this guide. 
  2. Inside your .htaccess file, you need to copy this code and paste it there:
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from

Note 1: change to IP address you wish to allow access xmlrpc.php or delete this line.


Was this article helpful?