Disable WordPress XMLRPC: Full Guide (Via Code or Plugin)

Looking for a WordPress plugin to disable XMLRPC? Or maybe you want to manually disable XMLRPC via a short code snippet? Look no further because in this article we will show you how to disable XMLRPC using both methods.

But before we dive into the steps for either method, let’s try to answer some basic questions you’re probably thinking of, such as:

  • How big is the security threat of XMLRPC?
  • Why does it even exist?
  • Is disabling XMLRPC enough?

Rest assured we will answer all of your burning questions. Now let’s start. Here’s what we’ll cover:

📚 Table of contents:

When should XMLRPC not be disabled?

The XMLRPC was developed to allow WordPress to communicate with other systems. For example, using the WordPress application on your phone requires XMLRPC.

XMLRPC isn’t really needed these days because of the REST API, which now transfers data between WordPress and other systems.

This is why XMLRPC is still included with a WordPress installation backward compatibility. We all know that keeping your website up to date is extremely important, but there are instances when website owners choose to hold off on updates. And if your site is running on a version older than the REST API, then it’s better to keep the XMLRPC file enabled.

As you may already know, the main disadvantage of enabling the XMLRPC file is that it is known to introduce vulnerabilities into a WordPress website. Therefore, we highly recommend installing a WordPress security plugin on your website to keep hackers at bay.

You may want to keep the PHP file (e.g. XMLRPC.php) when using it an application that cannot access the REST API but can access XMLRPC. In this particular case, XMLRPC is only a temporary solution and we strongly encourage you to find an application that is compatible with the REST API.

Now that you know when you shouldn’t disable XMLRPC, let’s look at all the good reasons why you should disable the PHP file:

The most common reason for disabling XMLRPC file is that it makes your website vulnerable to hacking attacks like DDoS and brute force attacks. The PHP file also tends to consume a lot of your server resources, making your website very slow.

Some plugins, like Jetpack, are known to have issues with XMLRPC.

Jetpack XMLRPC error
Jetpack has problems with XML-RPC

So if you want to disable the XMLRPC file, follow the steps below.

How to disable XMLRPC

There are two ways to disable the XMLRPC file. You can do this with a plugin or manually. We cover both methods below. Let’s dive in…

Important – Before proceeding, backup your entire website. To follow this tutorial you will need to install a plugin or modify your WordPress files. Websites are often known to break when a new plugin is installed, and changing files is a risky business. Backups are a safety net that you can fall back on in unfortunate circumstances. So make sure you create a backup before proceeding.

WordPress disables XMLRPC with a plugin

There are many plugins that disable XMLRPC on your WordPress site. In this tutorial we will use the most popular one: Disable XML-RPC. If you can’t use it, you can try one of the following alternatives:

Pro tip: Do you have a security plugin installed on your website? Then ask if you can disable XMLRPC with this security plugin. For example, iThemes can disable XMLRPC with a click of a button.

Now let’s disable XMLRPC using the Disable XML-RPC plugin.

Download and install it Disable XML-RPC Plugin on your WordPress website. And that’s it. The plugin automatically disables the PHP file without you having to lift a finger.

Using plugins is a great way to solve problems on a WordPress website, but installing plugins also has a downside. It consumes a lot of your server resources. Because of this, the manual route might be preferable for many website owners.

WordPress manually disables XMLRPC

There are three ways to manually disable XMLRPC. You can do this by using a filter or by modifying the .htaccess or Ngnix configuration files. Let’s try them all.

Disable with .htaccess file

To edit the .htaccess file you need to open your hosting account, go to cPanel → File Manager → public_html → .htaccess. Just right click and select To edit on the .htaccess file. Next add the following code at the end of the file:

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all

Don’t forget to click Save before closing the window or tab.

Edit htaccess file
Editing the .htacess file to disable XMLRPC

Side note: If you’ve never delved into the backend of your WordPress website, editing the .htacess file is a daunting task. We recommend that you learn about the functions and meaning of the file, and then try different methods of editing the .htaccess file.

Disable the Ngnix configuration file

Before we show you the steps, here is a disclaimer. This particular method is only effective if your website is hosted on an Nginx server.

Not sure if your website is hosted on Nginx? Here’s how you can find out:

1. Right-click anywhere on your website and then select Test.

2. Go to network and you will be prompted to reload the website. Next, select All.

Google Chrome browser network option
Find the network option in your Google Chrome

3. A list of dates will appear under a section called Surname. click Go to all data and side panel headers and scroll down. You should see them name of your server.

Google Chrome Browser Header Option - Disable WordPress xmlrpc
Find out the server hosting your website with Google Chrome

If your website is hosted on Ngnix, continue to the next step.

Open the Nginx configuration file and paste the following code into the file:

location ~* ^/xmlrpc.php$ {
return 403;

After saving the settings, if you open the XMLRPC file from the frontend of your website, you will get a 403 error. See for yourself. Just add /xmprpc.php ( to the bottom of your website and press Enter.

Disable the use of a filter

You can disable the XMLRPC file by writing a plugin and then adding the following filter to the plugin and making sure the plugin is installed and activated on your website.

add_filter( 'xmlrpc_enabled', '__return_false' );

As you can understand, this particular option is ideal for developers. For people with normal technical skills, we recommend the config or .htaccess file options.

Nothing worked?

If you tried the steps shown in this article but didn’t get the results you wanted, contact your hosting provider. They should be able to tell you what’s going wrong and how to disable XMLRPC on your WordPress site.


Disabling XMLRPC ensures that your website is protected from certain types of hacking attacks such as DDoS and brute force attacks. But there are many other ways to break into your website, so we recommend following our WordPress security guide to ensure full protection of your WordPress website.

Leave a Reply

Your email address will not be published. Required fields are marked *

Verified by MonsterInsights