Introducing the WPCodeBox IDE Beta
By WPCodeBox
Learn how to disable XML-RPC in your WordPress site using code. This is done to enhance security and avoid attacks on your site.
Every WordPress installation contains an outdated XML-RPC protocol that allows attackers to execute amplified brute force attacks and DDoS exploitation. This file bypasses standard security measures and serves no purpose on modern sites.
In this article, I’ll show you how you can disable XML-RPC safely without breaking functionality.
XML-RPC is a remote procedure call protocol that lets external applications communicate with WordPress. It uses XML to encode data and HTTP as the transport mechanism. The xmlrpc.php file in your WordPress root directory processes these requests.
WordPress included XML-RPC from the beginning to enable remote publishing. This allowed desktop blogging clients and early mobile apps to create and manage content externally. It also powered pingbacks and trackbacks between sites.
Today, XML-RPC is largely obsolete and has been replaced by the WordPress REST API. Modern mobile apps, Jetpack, and third-party services all use the REST API instead. XML-RPC remains in WordPress only for backward compatibility with outdated applications.
The file still processes requests by default, creating a serious security vulnerability. It requires sending username and password credentials with every request, making it an attractive target for attackers.
XML-RPC allows amplified brute force attacks that bypass standard security measures. Attackers use the system.multicall function to bundle hundreds of login attempts into a single HTTP request. This method defeats monitoring tools that watch for repeated failed logins on your standard login page.
The protocol also creates a DDoS attack vector through its pingback feature. Attackers can exploit xmlrpc.php to send thousands of pingback requests from your site to a target server. This weaponizes your WordPress installation as part of a botnet.
XML-RPC increases the chances of attacks with no functional benefit. Every request requires transmitting credentials, which creates unnecessary risk. The REST API already handles all modern integration needs with better security and performance.
Disabling XML-RPC is safe for nearly all modern WordPress installations. The REST API completely replaced XML-RPC as the standard for external communication. Jetpack, mobile apps, and the block editor all use the REST API and continue functioning normally.
You only need XML-RPC if you run WordPress older than version 4.4 or use specialized legacy applications that have never been updated to the REST API. Most managed hosting providers often block XML-RPC by default, confirming its obsolescence.
Security experts universally recommend disabling this outdated protocol. The security gains from removing a major attack vector far exceed any minimal compatibility concerns for edge cases.
You can disable XML-RPC completely with this single code snippet. It blocks the entire protocol and stops all XML-RPC requests.
add_filter('xmlrpc_enabled','__return_false');
add_action('init',function() {
if(strpos($_SERVER['REQUEST_URI'],'xmlrpc.php') !== false) {
wp_redirect(home_url());
exit;
}
});The first filter tells WordPress to reject all XML-RPC requests. This disables pingbacks, trackbacks, and remote publishing features. The second action intercepts direct attempts to access xmlrpc.php and redirects them to your homepage. This provides server-level blocking before WordPress processes the request.
This dual approach ensures no XML-RPC functionality remains available. Attackers cannot exploit the system.multicall function or pingback vulnerabilities.
While you can directly add this code snippet to your theme’s functions.php file, editing theme files directly creates ongoing problems. Theme updates overwrite your custom code without warning. A syntax error can trigger a white screen that locks you out of your admin dashboard.
WPCodeBox eliminates these risks by running your code independently from your theme. The plugin isolates snippets in a secure execution environment with intelligent error detection that prevents most mistakes from crashing your site. Your modifications stay active when you switch themes or run updates, making them truly portable and maintenance-free.
It also provides cloud storage to reuse solutions across all your WordPress sites instantly. The built-in code editor offers autocomplete for WordPress functions, hooks, and actions. You can organize snippets in folders, create plugins from snippet folders, and share access with team members through API keys. It not only works with PHP snippets, but you can also use it to add CSS and JavaScript snippets from one organized dashboard.
Now that you know WPCodeBox protects your code from theme conflicts, here’s how to add the snippet:
Your site now rejects all XML-RPC requests at two levels. The redirect prevents direct file access while the filter disables the underlying protocol.
You might need XML-RPC access for one specific plugin while blocking everything else. This rare scenario requires server-level IP whitelisting.
If you know your plugin’s server IP address, you can add this restriction directly to your .htaccess file. You can easily handle this inside the WPCodeBox IDE by just pasting the code and replacing the placeholder with your actual IP.
<Files xmlrpc.php>
order deny,allow
deny from all
allow from 123.123.123.123
</Files>
Jetpack users rarely need XML-RPC anymore. Modern Jetpack versions use the REST API exclusively and only fall back to XML-RPC in rare cases. You can safely disable XML-RPC without affecting Jetpack’s core features.
Check your plugin’s documentation to confirm if it truly needs XML-RPC. Most applications have already migrated to the more secure REST API. If XML-RPC is essential, implement IP-based whitelisting rather than leaving the protocol completely open.
You can verify XML-RPC is disabled by visiting yoursite.com/xmlrpc.php directly in your browser. The page should immediately redirect to your homepage based on the code snippet. This redirect confirms XML-RPC access is completely blocked.
If you see the message “XML-RPC server accepts POST requests only,” instead, the protocol remains active. Check that your snippet is enabled in WPCodeBox and clear your site cache.
1. What happens if I disable RPC?
For most website owners, disabling XML-RPC will have no negative impact. You will still be able to log in, write posts, and manage plugins directly from your browser. However, disabling this feature will break connections for external tools that specifically rely on it. This includes the official WordPress mobile app and the Jetpack plugin. If you do not use mobile apps or remote publishing tools to manage your site, turning it off is completely safe and recommended.
2. What are the security issues with RPC?
The primary security risk is brute-force attacks. Hackers exploit a function called system.multicall to try hundreds of username and password combinations in a single request, allowing them to guess passwords rapidly while bypassing standard security lockouts. Attackers can also abuse the pingback feature to launch DDoS attacks. This tricks your website into sending massive amounts of traffic to a third-party victim, which can overload your server and get your IP address blacklisted.
