Title here
Summary here
Disable XML-RPC
XML-RPC was useful in WordPress’s early days — it let you publish posts from desktop apps and mobile devices. But today? The REST API handles all that better. Meanwhile, XML-RPC has become one of the most exploited attack vectors on WordPress sites. Attackers use it for brute force attacks, DDoS amplification, and pingback spam. If you’re not actively using it, turn it off.
Use Cases
- Block brute force attacks that try thousands of passwords via
xmlrpc.php - Prevent your site from being used in DDoS amplification attacks
- Stop pingback spam from flooding your comments
- Reduce server load from bot requests hitting XML-RPC
- Clean up your site’s attack surface by removing unused functionality
How It Works
This is a toggle module — enable it and XML-RPC is disabled. No configuration needed.
When enabled, the module:
- Returns
403 Forbiddenfor any request toxmlrpc.php - Disables all XML-RPC methods at the WordPress level
- Removes the RSD (Really Simple Discovery) link from your HTML head
- Removes the Windows Live Writer manifest link
- Removes the X-Pingback header from responses
- Disables pingbacks entirely
What Gets Blocked
| Before | After |
|---|---|
yoursite.com/xmlrpc.php returns XML response | Returns 403 Forbidden |
<link rel="EditURI" ...> in HTML head | Removed |
<link rel="wlwmanifest" ...> in HTML head | Removed |
| X-Pingback header in responses | Removed |
| Pingbacks can be sent/received | Disabled |
Why XML-RPC is a Security Risk
Brute Force Amplification
Normal brute force attacks try one password per request. XML-RPC’s system.multicall method lets attackers try hundreds of passwords in a single request. This bypasses many rate-limiting protections.
DDoS Amplification
Attackers can abuse the pingback feature to make your server send requests to target sites. Your server becomes an unwitting participant in DDoS attacks, and the target sees requests coming from your IP.
Pingback Spam
Spammers use XML-RPC pingbacks to flood sites with junk trackbacks, often linking to malicious or SEO-spam sites.
Verification
After enabling, verify XML-RPC is blocked:
- Visit
yoursite.com/xmlrpc.phpdirectly - You should see “XML-RPC services are disabled on this site.”
- View your homepage source — no RSD or wlwmanifest links should appear
Using curl:
curl -I yoursite.com/xmlrpc.phpShould return HTTP/1.1 403 Forbidden
FAQ
Will this break the WordPress mobile app?
The official WordPress app switched to the REST API years ago. If you’re using a current version of the app, XML-RPC isn’t needed. Very old app versions (pre-2015) might have issues.Will this break Jetpack?
Jetpack primarily uses the REST API now. Some older Jetpack features relied on XML-RPC, but current versions work fine without it. If you experience issues, Jetpack’s troubleshooting docs have guidance.I need XML-RPC for a specific integration. What should I do?
If you have a legitimate need for XML-RPC (legacy desktop publishing app, specific third-party integration), you’ll need to keep this module disabled. Consider restricting XML-RPC access via .htaccess to specific IPs instead.Will this stop all brute force attacks?
It stops XML-RPC-based attacks, which are common. Attackers can still targetwp-login.php directly. For complete protection, combine this with the Limit Login Attempts module.My security scanner still flags XML-RPC. Why?
Some scanners check ifxmlrpc.php file exists, not whether it’s functional. The file still exists (it’s part of WordPress core), but this module makes it return 403 Forbidden, effectively disabling it.Can I delete xmlrpc.php instead?
You could, but it will come back with every WordPress update. Using this module is the proper way to disable XML-RPC without modifying core files.Already under attack? If you’re seeing heavy traffic to xmlrpc.php in your logs, enabling this module will immediately block those requests. For severe attacks, you may also want to add a server-level block via .htaccess or your firewall for better performance.
This module is safe for the vast majority of WordPress sites. Unless you specifically know you need XML-RPC for a particular integration, enable this module.
PRO
Upgrade to Pro
Get access to all 147 modules with a single license