How to Disable XML-RPC in your WordPress Site

XML-RPC on WordPress is an API or “application program interface“ that gives app developers the ability to talk to your WordPress site. The XML-RPC API that WordPress provides gives developers a way to write applications that can do many of the things that you can do when logged into WordPress via the web interface. These could include uploading files, publishing, editing or deleting a post or even getting and editing comments.So why to disable XML-RPC?

XML-RPC is a system that allows you to post on your WordPress blog using popular weblog clients like Windows Live Writer. It is also needed if you are using the WordPress mobile app. It is also needed if you want to make connections to services like IFTTT.

If you want to access and publish to your blog remotely, then you need XML-RPC enabled.

XML-RPC service was disabled by default for the longest time mainly due to security reasons. In WordPress 3.5 XML-RPC will be enabled by default, and the ability to turn it off from your WordPress dashboard is going away.

Disabling XML-RPC comes with a cost. If you disable the XML-RPC service on WordPress, you lose the ability for any application to use this API to talk to WordPress. WordPress’s own API abuse prevention has improved. Furthermore, providing the ability to disable XML-RPC caused confusion among users when their applications broke because they could not access the API.

How to Disable XML-RPC in WordPress 3.5

All you have to do is paste the following code in a site-specific plugin:

add_filter('xmlrpc_enabled', '__return_false');

How to Disable WordPress XML-RPC with .htaccess

While the above solution is sufficient for many, it can still be resource intensive for sites that are getting attacked.

In those cases, you may want to disable all xmlrpc.php requests from the .htaccess file before the request is even passed onto WordPress.

Simply paste the following code in your .htaccess file:

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from 123.123.123.123
</Files>

Jetpack is one of the most popular plugins for WordPress and relies heavily on XML-RPC to provide its features. If you visit the “Known Issues” page for Jetpack, you’ll notice they discuss how certain security plugins can impact Jetpack features if you use them to disable XML-RPC.

 

sarah ali

sarah ali

Sarah is a passionate writer and blogger. As an early adopter, she enjoys trying out new social media and Internet tools along with WordPress plugins and Web apps.
sarah ali

One comment

Leave a Reply

Your email address will not be published.