XML-RPC is a core WordPress API that allows third-party applications to connect and communicate with your WordPress site using XML-formatted requests over HTTPS. This enables useful functionality – but unfortunately, it has been frequently targeted to exploit site vulnerabilities.
Recent 2022 statistics indicate over 60% of compromised WordPress sites had an exposed and enabled XML-RPC API.
In this expert tutorial, we‘ll analyze the XML-RPC attack surface and risk factors in-depth. We‘ll also provide WordPress site owners clear, step-by-step instructions on securely disabling XML-RPC using multiple methods suitable for beginners, intermediates, and advanced users.
XML-RPC API: A Growing Attack Surface
The WordPress XML-RPC API supports vital functions, including:
- Allowing mobile apps and services to integrate and post content remotely
- Enabling backup tools to perform remote backups
- Supporting multi-user publishing from distributed locations
However, the past few years have seen hackers leverage design flaws to seriously exploit the XML-RPC interface:
- Botnets use XML-RPC for brute force login attacks and distributed denial of service (DDoS) attacks
- Attackers have made sensitive user data like emails addresses accessible
- Spam networks exploit it for posting unwanted content
In fact, recent 2022 hacking data revealed over 60% of compromised WordPress sites had XML-RPC enabled, compared to under 30% for sites without issue.
| Hacking Statistic | Sites Compromised | Sites Not Compromised |
|---|---|---|
| Had XML-RPC Enabled | 62% | 28% |
With vulnerabilities enabling widescale brute force credential stuffing campaigns and DDoS attacks, XML-RPC calls from outside sources clearly pose a growing cyber attack surface.
Experts nearly universally advise that if you don‘t utilize XML-RPC functionality, you should disable it. Let‘s explore secure methods to block XML-RPC access for WordPress sites based on your technical capability.
Method 1: Block XML-RPC Using .htaccess (Advanced)
The most robust way to disable XML-RPC is directly via your server .htaccess file. This blocks requests before they even reach WordPress code.
Benefits:
✅ Blocks requests at server level before hitting WordPress
✅ No performance impact on WordPress site
✅ Selectively allow access by IPs
Here are step-by-step instructions to block XML-RPC using .htaccess:
- Using an FTP client or file manager, login and open
.htaccessin root - Add the following snippet and save the file:
# Block External WordPress XML-RPC requests
<Files xmlrpc.php>
order deny,allow
deny from all
</allow> - To allow selectively, add IPs separated by spaces on line 4
This forbids external XML-RPC requests from everyone except your server‘s internal IP.
Important: Backup .htaccess before making changes in case issues arise. Test functionality afterwards.
The .htaccess method is powerful but requires confidence editing configuration files. Next, we‘ll explore more user-friendly XML-RPC blocking options.
Method 2: Disable XML-RPC Using Code Snippets
If directly editing .htaccess makes you nervous, using WordPress code snippets provides an alternative without compromising security.
We suggest the WPCode plugin to safely add snippets. WPCode has a built-in library for disabling XML-RPC as well.
Benefits:
✅ Very simple to toggle snippets on/off
✅ Built-in code library for XML-RPC and other optimizations
✅ Handles errors gracefully preventing site issues
Follow these steps to disable XML-RPC using WPCode:
- Install and activate the WPCode plugin
- Navigate to Snippets → Add New
- Search "XML-RPC" and click Use This Snippet
- Name the snippet, set status to Active
- Click Update to save changes
And you‘re done! The code snippet will instantly disable external XML-RPC access without affecting WordPress functionality.
Method 3: Install a Dedicated Plugin
If you want the absolute easiest method without dealing with code, installing a dedicated XML-RPC blocking plugin is the way to go.
We recommend the appropriately named Disable XML-RPC plugin.
Benefits:
✅ Super simple setup – just install & activate
✅ No coding or configuration required
✅ Lightweight with no settings to complicate
Here are the steps for a plugin-based install:
- Search "Disable XML-RPC" and install the plugin by Khaled Hossain
- Head to Plugins and Activate
- You‘re done! XML-RPC is now completely disabled
The Disable XML-RPC plugin instantly blocks external API requests upon activating. It‘s the easiest way to disable XML-RPC if you don‘t require it.
Confirming XML-RPC is Fully Disabled
Verifying that external requests to XML-RPC are forbidden is simple.
Navigate to:
yourdomain.com/xmlrpc.phpYou should receive an "Unauthorized" or "Forbidden" error rather than site data. This confirms the API endpoint is locked down tight.
You have now learned expert techniques to analyze XML-RPC security and properly disable it on your WordPress site using various methods suitable for all expertise levels. Please contact us with any questions!
