You can support us by downloading this article as PDF from the Link below. Download the guide as PDF

XML-RPC is WordPress feature that allows for data transfer over HTTP with XML being used as the encoding mechanism. It was initially created to facilitate WordPress communication with other systems. An example use case for this is posting to your site from a mobile device through a remote access feature enabled by xmlrpc.php.

There have been recent security concerns related to XML-RPC and with the new WordPress API, the use of XML-RPC will be deprecated. Since there is less use of XML-RPC, it can be disabled entirely in your WordPress website.

Disable Xmlrpc.php in WordPress – Apache Web server

If you’re using an Apache webs server, you can open the site configuration file and disable access to xmlrpc.php from your users by adding the following block:

# Block access to WordPress xmlrpc.php
<Files xmlrpc.php>
  Order Deny,Allow
  Deny from all
</Files>

If you want to allow access only from trusted network, add the IP address like below.

# Block access to WordPress xmlrpc.php
<Files xmlrpc.php>
  Order Deny,Allow
  Deny from all
  Allow from x.x.x.x
</Files>
  • Change x.x.x.x to the IP address will access xmlrpc.php from.

Restart apache server after the change.

--- Debian / Ubuntu ---
$ sudo systemctl restart apache2

--- CentOS / Fedora / RHEL ---
$ sudo systemctl restart httpd

Disable Xmlrpc.php in WordPress – Nginx Web server

For Nginx users, disable access to xmlrpc.php by adding a line to your web configuration fille which look like this:

location = /xmlrpc.php {
          deny all;
          access_log off;
          log_not_found off;
}

Restart Nginx server after the change.

sudo systemctl restart nginx

If you try to access the PHP script, you should get a 403 Forbidden error message.

Disable Xmlrpc.php in WordPress with Plugin

There are plugins which can help you disable Xmlrpc.php in WordPress. If you go to plugins section and search keyword “Disable XML-RPC“.

Other security plugins such as Wordfence Security – Firewall & Malware Scan also gives an option to disable XML-RPC on WordPress.

More guides on Web:

Best Free and Open Source Web Hosting Control Panels

How To Host WordPress website with Caddy Web Server

Install Drupal 8 on Debian 10 (Buster) Linux

Best Commercial Cpanel Alternatives

You can support us by downloading this article as PDF from the Link below. Download the guide as PDF