medium risk

How to Disable XML-RPC in WordPress

xmlrpc.php is a legacy remote API most sites no longer need. Left exposed, it lets attackers amplify brute-force attempts (hundreds of password guesses per request) and abuse pingbacks for DDoS. Unless you rely on the Jetpack/mobile app or remote publishing, disable it.

  1. 1

    Check whether you actually use it

    The WordPress mobile app, Jetpack, and some remote-publishing tools use XML-RPC. If you don't use any of those, it's safe to block entirely.

  2. 2

    Block it at the server (recommended)

    Add this to your .htaccess (Apache) to deny all access to xmlrpc.php:

    <Files xmlrpc.php>
      Order Deny,Allow
      Deny from all
    </Files>
  3. 3

    Or disable it in WordPress

    If you can't edit server config, disable it with a filter in your theme's functions.php or a small plugin:

    add_filter( 'xmlrpc_enabled', '__return_false' );
  4. 4

    Disable pingbacks specifically

    If you need XML-RPC for the app but not pingbacks, remove just the pingback methods to stop DDoS abuse.

    add_filter( 'xmlrpc_methods', function ( $methods ) {
      unset( $methods['pingback.ping'] );
      return $methods;
    } );

Related concept: WordPress REST API

Is your site affected?

Run a free external scan — 36 checks, no login or plugin required.

Scan your site free

More fix guides