Disable XML-RPC for WordPress

Disable XML-RPC for WordPress: Brief Guide

Are you looking for a method to disable XML RPC then this article is for you!

In the early days of WordPress, the developers added a core API, XML-RPC letting users access their website with the help of 3rd party apps, tools, and services. However, hackers soon identified ways to exploit the XML-RPC to obtain illegitimate access to WordPress websites.

In the present day, XML RPC has been replaced by REST API hence using the legacy XML-RPC is not advisable as it may open the possibility for hackers to exploit it and hack a WordPress website.

Disable XML-RPC for WordPress using Plugin

One of the easiest methods to disable XML-RPC is by using a plugin. This method is for beginners who don’t have much knowledge or don’t want to do any customizations to the website.

The first and foremost step is to install and activate the  Disable XML-RPC-API plugin. Next, you may want to configure the plugin by going to XML-RPC Security and then heading over to XML-RPC Settings.

Disable WordPress XML-RPC via the .htacess file

Editing the .htaccess file is recommended for advanced WordPress users because if the file is poorly configured, the whole website may crash. Hence, users need to be cautious before editing the .htaccess file.

If you want to limit remote access to a specific group of people, you can use the .htacess file method.

To edit the .htacess file and add the code into the code snippet, you can either connect your website with any FTP client like FileZilla or else use an SEO plugin to edit the file.

Once you have accessed the .htacess file, add the following code:

 # Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx

Here, you can change xxx.xxx.xxx.xxx with the IP addresses you wish to whitelist. Or if you want to fully disable XML-RPC then delete the code completely.

Disable XML-RPC for WordPress with Code Snippet

The third method to disable XML-RPC for WordPress is by adding a code to your website. You can use the WPCode plugin or any similar plugin to easily and safely add code to the snippets thereby preventing site breaks.

Once you have installed the WPCode plugin, go to Code Snippets then Add Snippet. The plugin’s code library already consists of a snippet to disable XML-RPC, you just need to search for XML.

On finding the snippet button, click on the use snippet button. Then, use the toggle button to set the Edit Snippet as Active. Lastly, click on the update button to save the changes made.


Hope you liked our article on how to disable WordPress XML-RPC. You can use any of the methods we have stated above.

In the meantime, you can check out the WordPress Hosting India plan for your website.


Related Stories

Leave a Comment

Your email address will not be published. Required fields are marked *

Our Experts will help you build the right solution or find the right partner for your needs.