{"id":9324,"date":"2018-05-14T14:57:40","date_gmt":"2018-05-14T14:57:40","guid":{"rendered":"https:\/\/www.hostinger.com\/tutorials\/?p=9324"},"modified":"2025-01-08T03:53:31","modified_gmt":"2025-01-08T03:53:31","slug":"xmlrpc-wordpress","status":"publish","type":"post","link":"\/my\/tutorials\/xmlrpc-wordpress","title":{"rendered":"xmlrpc.php in WordPress: What is it and why disable It"},"content":{"rendered":"

WordPress has always included features that allow you to interact with your site remotely. For a long time, the solution was a file called xmlrpc.php<\/strong>. However, in recent years, the file has become more of a problem than a solution.<\/p>

We’ll look at what xmlrpc.php<\/strong> is and why it was written. We also go over the most common security issues it causes and how to fix them on your own WordPress site.<\/p>

\n\n\n\n\n\n\n<\/p>

What is xmlrpc.php in WordPress?<\/h2>

XML-RPC is a feature of WordPress that enables data to be transmitted, with HTTP acting as the transport mechanism and XML as the encoding mechanism. Since WordPress isn’t a self-enclosed system and occasionally needs to communicate with other systems, this was used to handle that job.<\/p>

The core features that xmlrpc.php<\/strong> enabled were connecting to your site via smartphone, implementing trackbacks and pingbacks from other sites, and some functions associated with the Jetpack plugin.<\/p>

Let’s say you wanted to post to your WordPress site from your mobile device. You could use the remote access feature enabled by xmlrpc.php<\/strong> to do just that.<\/p>

Why was xmlrpc.php created and how was it used<\/h2>

The use of XML-RPC dates back to the early days of WordPress, before it was even called WordPress.<\/p>

Writing and publishing on the internet were much more difficult and time-consuming in the early days of the internet when connections were incredibly slow. At the time, the solution was to create an offline blogging client where you could compose your content before connecting to your blog to publish it. This connection was established using XML-RPC. <\/p>

XML-RPC was initially disabled by default until WordPress 2.6<\/strong> added a feature in the dashboard to enable or disable it. Then, XML-RPC was enabled by default with WordPress 3.5 <\/strong>and the introduction of the WordPress mobile app. The option to enable or disable XML-RPC from the dashboard was also removed.<\/p>

XML-RPC nowadays<\/h3>

In 2015, WordPress core introduced a new REST API for interacting with mobile applications and other platforms. Many developers began to use the new REST API instead, which effectively replaced XML-RPC. <\/p>

However, XML-RPC is still enabled in WordPress, and the xmlrpc.php<\/strong> file is still located in the core software directory.<\/p>

\n\n\n

\n

Suggested reading<\/h4>\n

Learn more about WordPress REST API<\/a> and how to start using it for WordPress development.<\/p>\n <\/div>\n\n\n\n<\/p>

Why you should disable xmlrpc.php<\/h2>

The biggest problem with XML-RPC is the security concern that arises. The issue isn’t with XML-RPC in itself but instead with how the file can be abused to launch cyberattacks on your site. <\/p>

The first is using brute-force attacks<\/strong> to gain entry to your site. An attacker will try to access your site using xmlrpc.php <\/strong>by using various username and password combinations. They can effectively use a single command to test hundreds of different passwords, allowing them to bypass security tools that typically detect and block brute-force attacks.<\/p>

The second is taking sites offline through a DDoS attack<\/strong>. Hackers would use the pingback feature in WordPress to send pingbacks to thousands of sites instantaneously. This feature in xmlrpc.php<\/strong> gives hackers a nearly endless supply of IP addresses over which to distribute a DDoS attack.<\/p>

\n\n\n

\n

Pro tip<\/h4>\n

Various threats pose risks to your website's security. Safeguarding your website against potential vulnerabilities can be achieved by choosing a dependable WordPress hosting provider. Ensure your website's protection by selecting a secure WordPress host<\/a> that implements advanced security measures.<\/p>\n <\/div>\n\n\n\n<\/p>

So, in addition to protecting yourself with strong passwords and WordPress security plugins<\/a>, it’s best to disable xmlrpc.php<\/strong>.<\/p>

To check if XML-RPC is running on your site, run it through a tool called XML-RPC Validator<\/strong>. If you get an error message, then it means you don’t have XML-RPC enabled. But if you get a success message, it’s highly recommended that you disable xmlrpc.php<\/strong>.<\/p>

How to disable xmlrpc.php in WordPress<\/h2>

Let’s go over the two ways to disable xmlrpc.php<\/strong> in WordPress.<\/p>

1. Disabling xmlrpc.php with a plugin<\/h3>

With a plugin, disabling XML-RPC on your WordPress site is simple. <\/p>

Simply navigate to the Plugins → Add New<\/strong> section from within your WordPress dashboard<\/a>. Search for Disable XML-RPC-API<\/a><\/strong> and install it. Once you activate the plugin, it will automatically apply the necessary code to turn off XML-RPC.<\/p>

Keep in mind that other existing plugins may utilize parts of XML-RPC, so disabling it completely could cause a plugin conflict or certain elements of your site to no longer function.<\/p>

2. Disabling xmlrpc.php manually<\/h3>

If you prefer to delete xmlrpc.php<\/strong> manually<\/span>, follow this method which will stop all incoming xmlrpc.php <\/strong>requests before they get passed onto WordPress.<\/p>

Access your .htaccess <\/strong>file through your hosting control panel’s File Manager or an FTP client. You may have to turn on the Show hidden files<\/strong> option to make this file visible. Inside your .<\/em>htaccess<\/strong> file, paste the following code:<\/p>

# Block WordPress xmlrpc.php requests\n<Files xmlrpc.php>\norder deny,allow\ndeny from all\nallow from xxx.xxx.xxx.xxx\n<\/Files><\/pre>
\n\n\n
Important!<\/strong> Change xxx.xxx.xxx.xxx to IP address you wish to allow access xmlrpc.php<\/strong> or remove this line completely.<\/p><\/div>\n\n\n
\"\"<\/a><\/figure>\n\n\n\n<\/p>
Conclusion<\/h2>
XML-RPC was a solid remote publishing tool for your WordPress site. However, it came with some security holes that ended up being pretty damaging for some WordPress site owners.<\/p>
To ensure your site remains secure, it’s highly recommended to disable xmlrpc.php entirely by using a plugin or manually editing the .htaccess <\/strong>file.<\/p>
\n\n\n
\n                    
Learn more about WordPress<\/h4>\n                    

\nHow to use XAMPP in WordPress<\/a>
\nWordPress tutorial<\/a>
\nBest WordPress frameworks<\/a>
\nWhat is the WordPress Heartbeat API<\/a>
\nHow to add custom CSS to WordPress<\/a><\/p>\n                <\/div>\n<\/p>\n","protected":false},"excerpt":{"rendered":"
WordPress has always included features that allow you to interact with your site remotely. For a long time, the solution was a file called xmlrpc.php. However, in recent years, the file has become more of a problem than a solution. We’ll look at what xmlrpc.php is and why it was written. We also go over […]<\/p>\n
Read More…<\/a><\/p>\n","protected":false},"author":411,"featured_media":69236,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_title":"What is xmlrpc.php in WordPress and why you should disable It","rank_math_description":"XML-RPC allows WordPress to connect to other systems, but xmlrpc.php file is known for security issues. Learn what it is and how to disable it.","rank_math_focus_keyword":"xmlrpc.php, xmlrpc","footnotes":""},"categories":[22635,22632],"tags":[],"class_list":["post-9324","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security-and-maintenance","category-wordpress"],"hreflangs":[{"locale":"en-US","link":"https:\/\/www.hostinger.com\/tutorials\/xmlrpc-wordpress","default":0},{"locale":"pt-BR","link":"https:\/\/www.hostinger.com\/br\/tutoriais\/o-que-e-xmlrpc-php","default":0},{"locale":"fr-FR","link":"https:\/\/www.hostinger.com\/fr\/tutoriels\/xmlrpc-php","default":0},{"locale":"es-ES","link":"https:\/\/www.hostinger.com\/es\/tutoriales\/que-es-xmlrpc-php-wordpress-por-que-desactivarlo","default":0},{"locale":"id-ID","link":"https:\/\/www.hostinger.com\/id\/tutorial\/xmlrpc-php-wordpress","default":0},{"locale":"nl-NL","link":"https:\/\/www.hostinger.com\/nl\/tutorials\/xmlrpc-php-wordpress","default":0},{"locale":"ja-JP","link":"https:\/\/www.hostinger.com\/jp\/tutorials\/xmlrpc-wordpress","default":0},{"locale":"ar-AE","link":"https:\/\/www.hostinger.com\/ae\/tutorials\/xmlrpc-wordpress","default":0},{"locale":"en-UK","link":"https:\/\/www.hostinger.com\/uk\/tutorials\/xmlrpc-wordpress","default":0},{"locale":"en-MY","link":"https:\/\/www.hostinger.com\/my\/tutorials\/xmlrpc-wordpress","default":0},{"locale":"en-PH","link":"https:\/\/www.hostinger.com\/ph\/tutorials\/xmlrpc-wordpress","default":0},{"locale":"es-MX","link":"https:\/\/www.hostinger.com\/mx\/tutoriales\/que-es-xmlrpc-php-wordpress-por-que-desactivarlo\/","default":0},{"locale":"es-CO","link":"https:\/\/www.hostinger.com\/co\/tutoriales\/que-es-xmlrpc-php-wordpress-por-que-desactivarlo\/","default":0},{"locale":"es-AR","link":"https:\/\/www.hostinger.com\/ar\/tutoriales\/que-es-xmlrpc-php-wordpress-por-que-desactivarlo\/","default":0},{"locale":"pt-PT","link":"https:\/\/www.hostinger.com\/pt\/tutoriais\/o-que-e-xmlrpc-php","default":0},{"locale":"en-IN","link":"https:\/\/www.hostinger.com\/in\/tutorials\/xmlrpc-wordpress","default":0},{"locale":"en-CA","link":"https:\/\/www.hostinger.com\/ca\/tutorials\/xmlrpc-wordpress","default":0},{"locale":"en-AU","link":"https:\/\/www.hostinger.com\/au\/tutorials\/xmlrpc-wordpress","default":0},{"locale":"en-NG","link":"https:\/\/www.hostinger.com\/ng\/tutorials\/xmlrpc-wordpress","default":0}],"_links":{"self":[{"href":"https:\/\/www.hostinger.com\/my\/tutorials\/wp-json\/wp\/v2\/posts\/9324","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.hostinger.com\/my\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hostinger.com\/my\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hostinger.com\/my\/tutorials\/wp-json\/wp\/v2\/users\/411"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hostinger.com\/my\/tutorials\/wp-json\/wp\/v2\/comments?post=9324"}],"version-history":[{"count":38,"href":"https:\/\/www.hostinger.com\/my\/tutorials\/wp-json\/wp\/v2\/posts\/9324\/revisions"}],"predecessor-version":[{"id":121141,"href":"https:\/\/www.hostinger.com\/my\/tutorials\/wp-json\/wp\/v2\/posts\/9324\/revisions\/121141"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.hostinger.com\/my\/tutorials\/wp-json\/wp\/v2\/media\/69236"}],"wp:attachment":[{"href":"https:\/\/www.hostinger.com\/my\/tutorials\/wp-json\/wp\/v2\/media?parent=9324"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hostinger.com\/my\/tutorials\/wp-json\/wp\/v2\/categories?post=9324"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hostinger.com\/my\/tutorials\/wp-json\/wp\/v2\/tags?post=9324"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}