{"id":1330,"date":"2021-07-23T07:00:40","date_gmt":"2021-07-23T12:00:40","guid":{"rendered":"https:\/\/www.knownhost.com\/kb\/?p=1330"},"modified":"2026-01-26T10:38:40","modified_gmt":"2026-01-26T16:38:40","slug":"what-is-wordpress-xmlrpc","status":"publish","type":"post","link":"https:\/\/www.knownhost.com\/kb\/what-is-wordpress-xmlrpc\/","title":{"rendered":"What is WordPress xmlrpc.php (XML-RPC)?"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 ez-toc-wrap-right counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #212121;color:#212121\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #212121;color:#212121\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 eztoc-toggle-hide-by-default' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.knownhost.com\/kb\/what-is-wordpress-xmlrpc\/#why_would_i_want_xml-rpc_enabled\" >Why Would I Want XML-RPC Enabled?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.knownhost.com\/kb\/what-is-wordpress-xmlrpc\/#how_to_check_if_xml-rpc_is_enabled\" >How to Check if XML-RPC is Enabled?<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.knownhost.com\/kb\/what-is-wordpress-xmlrpc\/#method_1\" >Method #1<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.knownhost.com\/kb\/what-is-wordpress-xmlrpc\/#method_2\" >Method #2<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.knownhost.com\/kb\/what-is-wordpress-xmlrpc\/#why_would_i_want_to_disable_xml-rpc\" >Why Would I Want to Disable XML-RPC?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.knownhost.com\/kb\/what-is-wordpress-xmlrpc\/#how_to_disable_xml-rpc\" >How to Disable XML-RPC?<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/www.knownhost.com\/kb\/what-is-wordpress-xmlrpc\/#option_1_%e2%80%93_deletion\" >Option 1 &#8211; Deletion<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/www.knownhost.com\/kb\/what-is-wordpress-xmlrpc\/#option_2_%e2%80%93_disable_via_htaccess\" >Option 2 &#8211; Disable via .htaccess<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/www.knownhost.com\/kb\/what-is-wordpress-xmlrpc\/#option_3a_%e2%80%93_disable_via_functionsphp_in_wordpress_theme_files\" >Option 3a &#8211; Disable via Functions.php in WordPress Theme Files<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/www.knownhost.com\/kb\/what-is-wordpress-xmlrpc\/#usage_notes\" >Usage notes:<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/www.knownhost.com\/kb\/what-is-wordpress-xmlrpc\/#option_3b_%e2%80%93_disable_via_functionsphp_in_wordpress_theme_files\" >Option 3b &#8211; Disable via Functions.php in WordPress Theme Files<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/www.knownhost.com\/kb\/what-is-wordpress-xmlrpc\/#usage_notes-2\" >Usage notes:<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/www.knownhost.com\/kb\/what-is-wordpress-xmlrpc\/#option_4_%e2%80%93_disable_via_a_wordpress_plugin\" >Option 4 &#8211; Disable via a WordPress Plugin<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/www.knownhost.com\/kb\/what-is-wordpress-xmlrpc\/#option_5_%e2%80%93_use_cloudflare_waf_to_allow_jetpack_but_otherwise_block\" >Option 5 &#8211; Use Cloudflare WAF to Allow JetPack but Otherwise Block<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"https:\/\/www.knownhost.com\/kb\/what-is-wordpress-xmlrpc\/#conclusions_about_disabling_xml-rpc\" >Conclusions about Disabling XML-RPC<\/a><\/li><\/ul><\/nav><\/div>\n\n<p>As&nbsp;<a href=\"https:\/\/blog.wpsec.com\/xml-rpc\/\">WPSec.com explains<\/a>, WordPress \u201cXML-RPC is a remote procedure call (RPC) protocol which uses XML to encode its calls and HTTP as a transport mechanism.\u201d.<\/p>\n\n\n\n<p>Originally, XML-RPC was developed back in the early days of WordPress, where Internet connections were slow and sporadic at best.&nbsp; In fact, rather than actively writing new posts via the WordPress online user interface, posts were written asynchronously, offline, and then uploaded to the server.&nbsp;&nbsp;<\/p>\n\n\n\n<p>PHP is the scripting language running on the server machine, hence the .php extension to the filename.<\/p>\n\n\n\n<p>XML stands for extensible markup language.&nbsp; It\u2019s the encoding mechanism, or data formatting language, that effectively marked up the post that was to be transmitted, into a common structured format that the server could decode, insert into a database, recognize how the post should appear and insert into a blog.<\/p>\n\n\n\n<p><a href=\"https:\/\/en.wikipedia.org\/wiki\/Remote_procedure_call\">RPC<\/a>&nbsp;is short for remote procedure call.&nbsp; It\u2019s simply a way for a call in one location to trigger the execution of a function or routine in another.&nbsp; Sometimes those locations are common to the same server, but sometimes they\u2019re physically thousands of miles apart.<\/p>\n\n\n\n<p>Note that some RPC\u2019s have been exploited, causing confusion &#8211; whereby people think all RPC\u2019s are forms of a virus.&nbsp; Examples would be the August, 2003 massive Microsoft virus known as MSBlast or W32.Blaster.Worm which ran amok on Windows computers, exploiting a weakness in the DCOM RPC interface.&nbsp; It spread like wildfire and caused significant chaos.<\/p>\n\n\n\n<p>Because of security concerns, back in 2008&nbsp;<a href=\"https:\/\/www.hostinger.co.uk\/tutorials\/xmlrpc-wordpress\">(WordPress 2.6)<\/a>, there was a configurable option that would allow you to enable or disable XML-RPC.&nbsp; Because of security threats (too many compromised systems), the default option became to disable it.&nbsp; Then, as mobile clients popularity increased, in WordPress 3.5, the default reverted to being&nbsp;<a href=\"https:\/\/blog.wpsec.com\/xml-rpc\/\">enabled by default<\/a>.<\/p>\n\n\n\n<p>If you\u2019d like to learn more about XML-RPC and the history of its development, head on over to&nbsp;<a href=\"http:\/\/xmlrpc.com\/\">xmlrpc.com<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"why_would_i_want_xml-rpc_enabled\"><span class=\"ez-toc-section\" id=\"why_would_i_want_xml-rpc_enabled\"><\/span>Why Would I Want XML-RPC Enabled?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>The WordPress XML-RPC approach is still used in this modern day and age for making blog posts, whether you\u2019re using a mobile application such as the WordPress mobile app, desktop clients like Windows Live Writer or even unique solutions like If This Then That (IFTTT).&nbsp; As implausible as it sounds, even WordPress plugins, like JetPack, depend on XML-RPC. The top reasons XML-RPC is enabled by default in WordPress is because of the WordPress iOS client and JetPack.<\/p>\n\n\n\n<p>JetPack uses xmlrpc.php to connect to the WordPress.com website so that it can perform numerous functions.<\/p>\n\n\n\n<p>Besides remote blog posting, there are several things you can accomplish when using XML-RPC within WordPress.&nbsp; These include post editing, post deletion, adding new image files to a post, pulling back a list of comments and editing comments.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"how_to_check_if_xml-rpc_is_enabled\"><span class=\"ez-toc-section\" id=\"how_to_check_if_xml-rpc_is_enabled\"><\/span>How to Check if XML-RPC is Enabled?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>If you\u2019ve got XML-RPC (xmlrpc.php) enabled, it means you\u2019ve got the capability to run JetPack and make blog posts from cell phone clients like iPhones.&nbsp; But how do you know\u2026. Is XML-RPC enabled on WordPress?<\/p>\n\n\n\n<p>There\u2019s several different ways of checking to see if your XML-RPC is enabled.&nbsp; Below are two of the easiest, and most common, ways to check if it\u2019s active:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"method_1\"><span class=\"ez-toc-section\" id=\"method_1\"><\/span>Method #1<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<ol class=\"wp-block-list\"><li>If you\u2019d like to check if XML-RPC is enabled, just visit the following website:&nbsp;<a href=\"https:\/\/xmlrpc.eritreo.it\/\">WordPress XML-RPC Validation Service<\/a><\/li><li>Once there insert your blog&nbsp;URL, for example:&nbsp;www.equipnations.com\/xmlrpc.php<\/li><li>If you\u2019ve got XML-RPC enabled, you\u2019ll get a success message, indicating, \u201cCongratulation! Your site passed the first check.\u201d<ul><li><strong>Stop there &#8211; do not put in your credentials.<\/strong>&nbsp;At this point you have confirmed that XML-RPC is working, active, enabled and a possible source of compromise.<\/li><li>In this case, a success message means XML-RPC is working, visible and potentially a target for hackers!<\/li><\/ul><\/li><\/ol>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"method_2\"><span class=\"ez-toc-section\" id=\"method_2\"><\/span>Method #2<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<ol class=\"wp-block-list\"><li>Alternatively, you can visit the latter&nbsp;URL&nbsp;of your blog, not the example, directly in your web browser:&nbsp;xmlrpc<\/li><li>Check the response.&nbsp; If you have XML-RPC enabled, you\u2019ll see: XML-RPC server accepts POST requests only.<\/li><\/ol>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"why_would_i_want_to_disable_xml-rpc\"><span class=\"ez-toc-section\" id=\"why_would_i_want_to_disable_xml-rpc\"><\/span>Why Would I Want to Disable XML-RPC?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>In trying to understand why you may want to disable XML-RPC in WordPress, it\u2019s important to understand how it\u2019s used.&nbsp; We already know that some plugins, and all remote publishing clients, rely on XML-RPC to function. What hasn\u2019t been said is how XML-RPC does its thing.<\/p>\n\n\n\n<p>Each and every time an XML-RPC call is made, it has to be authenticated via a username and password.&nbsp; Combine that with the system.multicall capabilities, and suddenly every time it\u2019s called, it could be trying out 100 login combos, as a hacker attempting to break in to your blog.&nbsp;&nbsp;<\/p>\n\n\n\n<p>This amplification of requests, where 1 call can spawn 100 requests is a classic example of how distributed denial of service (DDoS) attacks are made.&nbsp; If brute force attacks are hitting your site, then eliminating the threat of XML-RPC becomes a clear contender for smart strategies to consider.<\/p>\n\n\n\n<p>The worst part about it is that you can\u2019t block it at the firewall or restrict capabilities.&nbsp; Otherwise your plugins, and mobile clients, that rely on it &#8211; IF ANY &#8211; will stop working.<\/p>\n\n\n\n<p>If you don\u2019t absolutely need the plugin or mobile client capabilities, then disabling XML-RPC isn\u2019t a big deal.&nbsp; It will close the door for some of the most prolific hacking attacks against your WordPress blog.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"how_to_disable_xml-rpc\"><span class=\"ez-toc-section\" id=\"how_to_disable_xml-rpc\"><\/span>How to Disable XML-RPC?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>In disabling the threats from having XML-RPC enabled, there are several approaches to reducing or eliminating the risk, with each having strengths and weaknesses of their own.&nbsp; Read on to see exactly how one goes about the steps to disable WordPress XML-RPC (xmlrpc.php).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"option_1_-_deletion\"><span class=\"ez-toc-section\" id=\"option_1_%e2%80%93_deletion\"><\/span>Option 1 &#8211; Deletion<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>In this scenario, you simply remove the xmlrpc.php file from the server.&nbsp; It could easily be done via&nbsp;FTP&nbsp;or cPanel. Just login and delete the file using the file browser, or similar, menu..<\/p>\n\n\n\n<p>Advantage:&nbsp; It\u2019s easily done.&nbsp; Quick and painless.<\/p>\n\n\n\n<p>Disadvantage:&nbsp; Once you\u2019ve removed the file, anytime you get a WordPress update or upgrade, you\u2019re going to have to go back in and delete the file all over again.&nbsp; For that reason, this option is NOT recommended.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"option_2_-_disable_via_htaccess\"><span class=\"ez-toc-section\" id=\"option_2_%e2%80%93_disable_via_htaccess\"><\/span>Option 2 &#8211; Disable via .htaccess<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>In scenario number 2, instead of removing the file completely, as with Option 1, you\u2019ll instead be keeping the file, but preventing it from being accessed by any processes.&nbsp; In effect, you\u2019re putting the file in quarantine so it can\u2019t be used against you.<\/p>\n\n\n\n<p>As&nbsp;seen on StackExchange (wordpress.stackexchange.com\/questions\/219643\/best-way-to-eliminate-xmlrpc-php), here\u2019s the approach.&nbsp; It\u2019s short and sweet:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>  # Block WordPress xmlrpc.php requests\n  &lt;Files xmlrpc.php&gt;\n    order allow,deny\n    deny from all\n  &lt;\/Files&gt;<\/code><\/pre>\n\n\n\n<p>Advantage:&nbsp; By eliminating the ability to access the file, you\u2019ve eliminated the risky xmlrpc.php file from being operational &#8211; a very good thing.<\/p>\n\n\n\n<p>Disadvantages:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Not every host will allow changes to system configuration files like .htaccess<\/li><li>If you make changes to .htaccess, forget what this was included for, or otherwise tweak the mechanism that has been disabling XML-RPC from working, it could return to being operational.&nbsp; Overall, this is a very low probability event, so it\u2019s not a big downside.<\/li><li>If you get the code wrong, make a typo or other error, you could break your site<\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"option_3a_-_disable_via_functionsphp_in_wordpress_theme_files\"><span class=\"ez-toc-section\" id=\"option_3a_%e2%80%93_disable_via_functionsphp_in_wordpress_theme_files\"><\/span>Option 3a &#8211; Disable via Functions.php in WordPress Theme Files<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>In scenario number 3a, instead of removing the file completely, or disabling it by editing a key server configuration file, with this method, you\u2019re relying on a theme file from within WordPress.&nbsp; It\u2019s great for hosts with restrictive access or so that you can keep all your functionality within the WordPress directory tree.<\/p>\n\n\n\n<p>This approach&nbsp;creates two filters (action hooks) and one function.<\/p>\n\n\n\n<p>Add a filter to identify XMLRPC as not enabled:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>  add_filter( 'xmlrpc_enabled', '__return_false' );<\/code><\/pre>\n\n\n\n<p>Add a filter to disable X-Pingback in the WordPress headers:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>  add_filter( 'wp_headers', 'disable_x_pingback' );<\/code><\/pre>\n\n\n\n<p>Set up the function to do the disabling:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>  function disable_x_pingback( $headers ) {<\/code><\/pre>\n\n\n\n<p>Unset the headers:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>    unset( $headers&#91;'X-Pingback'] );<\/code><\/pre>\n\n\n\n<p>Return the modified headers:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>    return $headers;<\/code><\/pre>\n\n\n\n<p>End the function:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>  }<\/code><\/pre>\n\n\n\n<p>Full Version of the disable XMLRPC code:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>  add_filter( 'xmlrpc_enabled', '__return_false' );\n  add_filter( 'wp_headers', 'disable_x_pingback' );\n  function disable_x_pingback( $headers ) {\n    unset( $headers&#91;'X-Pingback'] );\n    return $headers;\n  }<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"usage_notes\"><span class=\"ez-toc-section\" id=\"usage_notes\"><\/span>Usage notes:<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>If you\u2019re using the default theme, edit the functions.php file and then get the theme updated, your changes will be overwritten and gone.<\/p>\n\n\n\n<p>If you\u2019re using the default theme, then change to a different theme, your changes will no longer be present.<\/p>\n\n\n\n<p>Best practices call for themes to be regularly used and updated, so you should&nbsp;<strong>put your changes into a child theme<\/strong>&nbsp;so that they are preserved, even when the main theme gets updated.<\/p>\n\n\n\n<p>If you make an error in rekeying the above, omit a bit of punctuation during a copy and paste, or generally make any kind of fat fingering error at all, you can bet that there will be some type of error or crash generated as a result.<\/p>\n\n\n\n<p>This will only disable the&nbsp;<a href=\"https:\/\/developer.wordpress.org\/reference\/hooks\/xmlrpc_enabled\/\">authenticated multicall functions<\/a>&nbsp;X-Pingback.&nbsp; If you need to disable the single post\/page as well, then also add the below.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>  add_filter('pings_open', '__return_false', PHP_INT_MAX);<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"option_3b_-_disable_via_functionsphp_in_wordpress_theme_files\"><span class=\"ez-toc-section\" id=\"option_3b_%e2%80%93_disable_via_functionsphp_in_wordpress_theme_files\"><\/span>Option 3b &#8211; Disable via Functions.php in WordPress Theme Files<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Reviewing the WordPress documentation on this, if you want to disable XML-RPC functionality, via WordPress functions, you\u2019ll find the xmlrpc_methods approach.&nbsp; With this, you\u2019re effectively gutting the entire ability of WordPress to use XML-RPC, completely eliminating the endpoints!<\/p>\n\n\n\n<p>So, in scenario number 3b, a very streamlined approach can be undertaken:<\/p>\n\n\n\n<p>Set a blanket function to cover the xmlrpc_methods:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>  add_filter('xmlrpc_methods', function () {<\/code><\/pre>\n\n\n\n<p>Return nothing when it\u2019s called:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>  return &#91;];<\/code><\/pre>\n\n\n\n<p>End the function:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>  }, PHP_INT_MAX);<\/code><\/pre>\n\n\n\n<p>Full Version of the disable XMLRPC code:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>  add_filter('xmlrpc_methods', function () {\n    return &#91;];\n  }, PHP_INT_MAX);<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"usage_notes1\"><span class=\"ez-toc-section\" id=\"usage_notes-2\"><\/span>Usage notes:<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>These are the same as most of 3a above, or any other theme-based functions.php edits.<\/p>\n\n\n\n<p>The key difference with this approach is that you\u2019re gutting anything where WordPress would make XML-RPC calls.&nbsp; So, you\u2019ll know that none of them are going to work and can rest easy about anyone using xmlrpc.php against you.<\/p>\n\n\n\n<p>Just don\u2019t forget to put these changes in a child theme so that you don\u2019t lose your custom coding whenever the main theme gets updated!<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"option_4_-_disable_via_a_wordpress_plugin\"><span class=\"ez-toc-section\" id=\"option_4_%e2%80%93_disable_via_a_wordpress_plugin\"><\/span>Option 4 &#8211; Disable via a WordPress Plugin<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>The plugin approach is always a popular one, including when you\u2019re wanting to disable XML-RPC within WordPress.&nbsp; The thing about plugins are, sometimes they get updated, but sometimes they don\u2019t. If they don\u2019t get updated, they can become the security risk, rather than the thing they\u2019re trying to fix!&nbsp;&nbsp;<\/p>\n\n\n\n<p>While you can find a number of plugins out there which will disable xmlrpc.php from doing what it does, there are some which only disable some functions, or there are bigger, heavier plugins which have many other security functions at the same time.&nbsp; We\u2019ve got a huge section on WordPress security, so check it out.&nbsp;<\/p>\n\n\n\n<p>Here\u2019s two popular plugins for disabling XML-RPC.&nbsp; The first is a full slash and burn, while the second is only a partial disabling of functions.&nbsp; Note that you\u2019ll be disabling pingbacks, some plugins and the ability to remote post.<\/p>\n\n\n\n<p>Plugin to fully disable xml-rpc&nbsp;<a href=\"https:\/\/wordpress.org\/plugins\/disable-xml-rpc\/\">Disable XML-RPC<\/a><\/p>\n\n\n\n<p>Plugin to partially disable xml-rpc functions used by hackers&nbsp;<a href=\"https:\/\/wordpress.org\/plugins\/stop-xml-rpc-attacks\/\">Stop XML-RPC Attacks<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"option_5_-_use_cloudflare_waf_to_allow_jetpack_but_otherwise_block\"><span class=\"ez-toc-section\" id=\"option_5_%e2%80%93_use_cloudflare_waf_to_allow_jetpack_but_otherwise_block\"><\/span>Option 5 &#8211; Use Cloudflare WAF to Allow JetPack but Otherwise Block<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>If you&#8217;re running Cloudflare, then take advantage of the&nbsp;<a href=\"https:\/\/support.cloudflare.com\/hc\/en-us\/articles\/218377098-WordPress-Jetpack-and-Cloudflare\">Cloudflare WAF<\/a>&nbsp;to protect your WordPress blog from being hit, while still allowing JetPack to run.<\/p>\n\n\n\n<p>Here\u2019s the full explanation of how it works:&nbsp;<a href=\"https:\/\/support.cloudflare.com\/hc\/en-us\/articles\/218377098-WordPress-Jetpack-and-Cloudflare\">WordPress Jetpack and Cloudflare<\/a><\/p>\n\n\n\n<p>Overall, this is an outstanding approach that can let you have your cake and eat it too!<\/p>\n\n\n\n<p>Learn about the Cloudflare Web Application Firewall (WAF) and how it can work with, or without JetPack, visit the Cloudflare website:&nbsp;<a href=\"https:\/\/www.cloudflare.com\/waf\/\">cloudflare.com<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"conclusions_about_disabling_xml-rpc\"><span class=\"ez-toc-section\" id=\"conclusions_about_disabling_xml-rpc\"><\/span>Conclusions about Disabling XML-RPC<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Choose any method that works for you.&nbsp; If you\u2019ve got Cloudflare WAF, then consider Option 5.&nbsp; Otherwise, Option 3b above is probably the most elegant, effective and easily administered.&nbsp;&nbsp;<\/p>\n\n\n\n<p>If you\u2019re having trouble deciding, reread your options and weigh the pro\u2019s and con\u2019s.&nbsp; If all else fails, consider 5 or 3b. Good luck!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>As&nbsp;WPSec.com explains, WordPress \u201cXML-RPC is a remote procedure call (RPC) protocol which uses XML to encode its calls and HTTP as a transport mechanism.\u201d. Originally, XML-RPC was developed back in the early days of WordPress, where Internet connections were slow and sporadic at best.&nbsp; In fact, rather than actively writing new posts via the WordPress [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[146],"tags":[251,166,252,106,267],"class_list":["post-1330","post","type-post","status-publish","format-standard","hentry","category-wordpress","tag-blogs","tag-bruteforce","tag-cms","tag-wordpress","tag-xmlrpc"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>What is WordPress xmlrpc.php (XML-RPC)? - KnownHost<\/title>\n<meta name=\"description\" content=\"Find out what is the WordPress XML-RPC protocol used for, how it can affect your website and what you can do to disable it.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.knownhost.com\/kb\/what-is-wordpress-xmlrpc\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"What is WordPress xmlrpc.php (XML-RPC)? - KnownHost\" \/>\n<meta property=\"og:description\" content=\"Find out what is the WordPress XML-RPC protocol used for, how it can affect your website and what you can do to disable it.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.knownhost.com\/kb\/what-is-wordpress-xmlrpc\/\" \/>\n<meta property=\"og:site_name\" content=\"KnownHost\" \/>\n<meta property=\"article:published_time\" content=\"2021-07-23T12:00:40+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-01-26T16:38:40+00:00\" \/>\n<meta name=\"author\" content=\"Jonathan K. W.\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Jonathan K. W.\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/what-is-wordpress-xmlrpc\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/what-is-wordpress-xmlrpc\\\/\"},\"author\":{\"name\":\"Jonathan K. W.\",\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/#\\\/schema\\\/person\\\/3db6e20d1f33519cd68fe0ba1230a48b\"},\"headline\":\"What is WordPress xmlrpc.php (XML-RPC)?\",\"datePublished\":\"2021-07-23T12:00:40+00:00\",\"dateModified\":\"2026-01-26T16:38:40+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/what-is-wordpress-xmlrpc\\\/\"},\"wordCount\":2044,\"keywords\":[\"blogs\",\"bruteforce\",\"cms\",\"wordpress\",\"xmlrpc\"],\"articleSection\":[\"WordPress\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/what-is-wordpress-xmlrpc\\\/\",\"url\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/what-is-wordpress-xmlrpc\\\/\",\"name\":\"What is WordPress xmlrpc.php (XML-RPC)? - KnownHost\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/#website\"},\"datePublished\":\"2021-07-23T12:00:40+00:00\",\"dateModified\":\"2026-01-26T16:38:40+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/#\\\/schema\\\/person\\\/3db6e20d1f33519cd68fe0ba1230a48b\"},\"description\":\"Find out what is the WordPress XML-RPC protocol used for, how it can affect your website and what you can do to disable it.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/what-is-wordpress-xmlrpc\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/what-is-wordpress-xmlrpc\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/what-is-wordpress-xmlrpc\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"What is WordPress xmlrpc.php (XML-RPC)?\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/#website\",\"url\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/\",\"name\":\"KnownHost\",\"description\":\"KnownHost provides a comprehensive webhosting knowledge base to help answer many of your common webhosting and linux questions.\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/#\\\/schema\\\/person\\\/3db6e20d1f33519cd68fe0ba1230a48b\",\"name\":\"Jonathan K. W.\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f432b99e6651fe8d1deb57a285bd84e806f1c9ae8b4c6c585d7e3a0b33789ad9?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f432b99e6651fe8d1deb57a285bd84e806f1c9ae8b4c6c585d7e3a0b33789ad9?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f432b99e6651fe8d1deb57a285bd84e806f1c9ae8b4c6c585d7e3a0b33789ad9?s=96&d=mm&r=g\",\"caption\":\"Jonathan K. W.\"},\"sameAs\":[\"https:\\\/\\\/www.knownhost.com\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"What is WordPress xmlrpc.php (XML-RPC)? - KnownHost","description":"Find out what is the WordPress XML-RPC protocol used for, how it can affect your website and what you can do to disable it.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.knownhost.com\/kb\/what-is-wordpress-xmlrpc\/","og_locale":"en_US","og_type":"article","og_title":"What is WordPress xmlrpc.php (XML-RPC)? - KnownHost","og_description":"Find out what is the WordPress XML-RPC protocol used for, how it can affect your website and what you can do to disable it.","og_url":"https:\/\/www.knownhost.com\/kb\/what-is-wordpress-xmlrpc\/","og_site_name":"KnownHost","article_published_time":"2021-07-23T12:00:40+00:00","article_modified_time":"2026-01-26T16:38:40+00:00","author":"Jonathan K. W.","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Jonathan K. W.","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.knownhost.com\/kb\/what-is-wordpress-xmlrpc\/#article","isPartOf":{"@id":"https:\/\/www.knownhost.com\/kb\/what-is-wordpress-xmlrpc\/"},"author":{"name":"Jonathan K. W.","@id":"https:\/\/www.knownhost.com\/kb\/#\/schema\/person\/3db6e20d1f33519cd68fe0ba1230a48b"},"headline":"What is WordPress xmlrpc.php (XML-RPC)?","datePublished":"2021-07-23T12:00:40+00:00","dateModified":"2026-01-26T16:38:40+00:00","mainEntityOfPage":{"@id":"https:\/\/www.knownhost.com\/kb\/what-is-wordpress-xmlrpc\/"},"wordCount":2044,"keywords":["blogs","bruteforce","cms","wordpress","xmlrpc"],"articleSection":["WordPress"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.knownhost.com\/kb\/what-is-wordpress-xmlrpc\/","url":"https:\/\/www.knownhost.com\/kb\/what-is-wordpress-xmlrpc\/","name":"What is WordPress xmlrpc.php (XML-RPC)? - KnownHost","isPartOf":{"@id":"https:\/\/www.knownhost.com\/kb\/#website"},"datePublished":"2021-07-23T12:00:40+00:00","dateModified":"2026-01-26T16:38:40+00:00","author":{"@id":"https:\/\/www.knownhost.com\/kb\/#\/schema\/person\/3db6e20d1f33519cd68fe0ba1230a48b"},"description":"Find out what is the WordPress XML-RPC protocol used for, how it can affect your website and what you can do to disable it.","breadcrumb":{"@id":"https:\/\/www.knownhost.com\/kb\/what-is-wordpress-xmlrpc\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.knownhost.com\/kb\/what-is-wordpress-xmlrpc\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.knownhost.com\/kb\/what-is-wordpress-xmlrpc\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.knownhost.com\/kb\/"},{"@type":"ListItem","position":2,"name":"What is WordPress xmlrpc.php (XML-RPC)?"}]},{"@type":"WebSite","@id":"https:\/\/www.knownhost.com\/kb\/#website","url":"https:\/\/www.knownhost.com\/kb\/","name":"KnownHost","description":"KnownHost provides a comprehensive webhosting knowledge base to help answer many of your common webhosting and linux questions.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.knownhost.com\/kb\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.knownhost.com\/kb\/#\/schema\/person\/3db6e20d1f33519cd68fe0ba1230a48b","name":"Jonathan K. W.","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f432b99e6651fe8d1deb57a285bd84e806f1c9ae8b4c6c585d7e3a0b33789ad9?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f432b99e6651fe8d1deb57a285bd84e806f1c9ae8b4c6c585d7e3a0b33789ad9?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f432b99e6651fe8d1deb57a285bd84e806f1c9ae8b4c6c585d7e3a0b33789ad9?s=96&d=mm&r=g","caption":"Jonathan K. W."},"sameAs":["https:\/\/www.knownhost.com"]}]}},"_links":{"self":[{"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/posts\/1330","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/comments?post=1330"}],"version-history":[{"count":4,"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/posts\/1330\/revisions"}],"predecessor-version":[{"id":8061,"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/posts\/1330\/revisions\/8061"}],"wp:attachment":[{"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/media?parent=1330"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/categories?post=1330"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/tags?post=1330"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}