Every new hosting plan ordered during MAY2019 can request free DNSSEC setup ($39 value). Use coupon MAY2019 for free DNSSEC ($39 value).
Dominate local SEO with a regional SlickStack cloud server for just $39/month! Order Now
250,000+ sites use our plugins! Become A Member

How (And Why) To Disable WordPress XML-RPC

Jesse Nickles   |  2 Oct, 2015

In my opinion, the XML-RPC function in WordPress is a nightmare. Back in the day, core WordPress contributors thought it would be a cool idea to allow remote connections to WordPress websites, for the purpose of such things like a desktop blogging client (or more recently, for the WordPress mobile apps that allow blog management from a smartphone, etc).

They quickly discovered, however, that XML-RPC was a primary target for hackers and server exploitation. In fact, prior to WordPress 3.5, the XML-RPC function was disabled by default in all WordPress installations. However, in a WordPress core track ticket that announced XML-RPC would be enabled by default in 3.5, contributor @nachin explained:

Quite a bit has changed since we introduced off-by-default for XML-RPC. Their code has improved, and it is no longer considered a second-class citizen when it comes to API development, thanks to the work of a large team of awesome contributors. Security is no greater a concern than the rest of core. There is no longer a compelling reason to disable this by default. It’s time we should remove the option entirely.

Simply put, this is 100% wrong. Just several months later, web security firms Incapsula, Sucuri, and others reported massive DDOS attacks (in the millions) were being carried out against WordPress websites by using the XML-RPC script included in all WordPress installations (and this isn’t even mentioning the millions of “pingback/trackback” spam attacks that happen on a daily basis via XML-RPC). Now a few years on, and there are hundreds and hundreds of bloggers across the web posting bewildered support requests and testimonies claiming their website or server is “crashing” because of XML-RPC.

All this, because of a function that literally NOBODY uses. The only popular use for XML-RPC is its “pingback” functionality, which again, is 99% of the time just a feature abused by hackers and spammers to exploit poorly managed WordPress blogs (i.e. posting links to Viagra, etc). I mean really, if we asked around, what percentage of WordPress users would say they use their smartphone for blogging, or would say they actually use the “pingback/trackback” feature on a daily basis?

The answer for 99% of WordPress bloggers would be a resounding NOPE!

Correction: The popular Jetpack plugin also uses XML-RPC for some of its features… but frankly, you shouldn’t be using Jetpack if you care about site performance, as it calls various 3rd party resources and is generally a poor, overloaded concept.

Anyway, the in-depth arguments against XML-RPC can be saved for another day. For now, suffice it to say that 99% of the people reading this should go ahead and disable XML-RPC using the methods below:

1. Disable XML-RPC. Our free WordPress plugin is by far the easiest way to disable XML-RPC completely on your WordPress website. Simply install it and forget it, and you are (mostly) good to go. However, bots can still target your actual /xmlrpc.php file on your server (causing excessive load in many cases), so this is only a partial solution.

2. Theme Functions. If you don’t want to install the plugin above, you can simply put the below code in your theme’s functions.php file. However, this is not recommended, as the WordPress community has been encouraging the removal of theme-specific functions and implementing a WordPress plugin instead. Anyway, here is the code:

add_filter('xmlrpc_enabled', '__return_false');

3. Disable Pingbacks/Trackbacks. If you have done either #1 or #2 above, this setting won’t matter much. Still, for good measure (and to keep your blog’s administrators aware) you should also go into WordPress Settings >> Discussion and clear the checkbox for “Allow link notifications from other blogs (pingbacks and trackbacks) on new articles”

4. Apache htaccess. As mentioned in #1, “disabling” XML-RPC functions in WordPress is only a partial solution to stopping DDOS attacks and/or pingback spam. To REALLY block abuse of your xmlrplc.php file, you must deny public access:

## block any attempted XML-RPC requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from

5. Nginx server block. Last but not least, hopefully you are using an Nginx server rather than Apache these days (as do all of our managed hosting clients). If so, you can add the below code to your appropriate Nginx server block rules:

## block any attempted XML-RPC requests
location = /xmlrpc.php {
    deny all;

Note: some bloggers and web hosting companies have advised WordPress users to simply “delete” the xmlrpc.php file after they install WordPress. This is a bad idea for a few reasons: firstly, whenever you update WordPress, that file will come back anyways, and secondly, anything trying to access the file will generate a 404 error (rather than “denied”) which isn’t really proper server management. Depending on your setup, 404 errors could still put great load on your website too.

Tags: , , , , , , , ,

Last modified: 6 Nov, 2017https://www.littlebizzy.com/?p=4341

Results For Local Business, High Traffic, And E-Commerce.

Local Business

"After being hosted on GoDaddy for years, I didn't realize how negatively it was impacting my search traffic. Soon after moving to LittleBizzy, my homepage went from page 3 on Google to #1 world-wide for my target market, and I also reached the top 3 on Google Maps, with no additional SEO work."

Juliette S.

High Traffic

"Before moving to LittleBizzy, whenever our news website was featured on the Drudge Report, it often slowed to a crawl or even froze up during big traffic spikes. Now, that never happens anymore, and we've been able to focus on publishing more articles instead of worrying about our web hosting."

Tony H.


"The research by Amazon is definitely true, because our slow WooCommerce store was bleeding sales. After LittleBizzy stabilized our performance and moved us closer to our target customers, we saw a measurable improvement in shopping cart checkouts, esp. during holidays... much better!"

Mohammed H.

No contracts, free migration, and free SSL forever. What are you waiting for? Order Hosting Now.

WordPress Gossip, Technical SEO News, And Other Goodies.

Free. Unsubscribe anytime.

Brands That Trust Our Software: