How to Disable XML-RPC in WordPress
xmlrpc.php is a legacy remote API most sites no longer need. Left exposed, it lets attackers amplify brute-force attempts (hundreds of password guesses per request) and abuse pingbacks for DDoS. Unless you rely on the Jetpack/mobile app or remote publishing, disable it.
- 1
Check whether you actually use it
The WordPress mobile app, Jetpack, and some remote-publishing tools use XML-RPC. If you don't use any of those, it's safe to block entirely.
- 2
Block it at the server (recommended)
Add this to your .htaccess (Apache) to deny all access to xmlrpc.php:
<Files xmlrpc.php> Order Deny,Allow Deny from all </Files> - 3
Or disable it in WordPress
If you can't edit server config, disable it with a filter in your theme's functions.php or a small plugin:
add_filter( 'xmlrpc_enabled', '__return_false' ); - 4
Disable pingbacks specifically
If you need XML-RPC for the app but not pingbacks, remove just the pingback methods to stop DDoS abuse.
add_filter( 'xmlrpc_methods', function ( $methods ) { unset( $methods['pingback.ping'] ); return $methods; } );
Related concept: WordPress REST API
Is your site affected?
Run a free external scan — 36 checks, no login or plugin required.
More fix guides
Sanitize input, escape output, patch vulnerable plugins, and add a Content-Security-Policy.
Patch vulnerable plugins and use $wpdb->prepare() for every query with user input.
Add HSTS, CSP, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy.
Block ?author= scans, restrict the users REST endpoint, and use generic login errors.