Before WordPress 3.5 was released, XML-RPC was turned off by default, but users had the ability to turn it on or off in the settings. When version 3.5 was released, the protocol became a core part of WordPress, and the ability to turn it on or off in the settings was removed. The developers believed that the vulnerabilities and the security concerns revolving around XML-RPC were a thing of the past and that the protocol has improved a lot since then. Therefore, if you want to disable XML-RPC in WordPress nowadays, you’d have to do it manually, and we’re going to explain how in this article. There’s also a section at the end talking about the reasons you would want to disable it.
There are different ways to disable this feature in WordPress. You can use a site-specific plugin, use a plugin, edit your theme’s functions.php file or add rules via .htaccess.
Using a Site-Specific Plugin
All you have to do is to add the following code snippet to your site-specific plugin:
Save your plugin and you’re done.
Using a Plugin
There are several pre-made plugins that can help you disable XML-RPC feature in WordPress. They are excellent if you don’t want to fiddle with your site’s code at all.
One such plugin is called Disable XML-RPC. It’s pretty straightforward. It just adds the code snippet that will disable XML-RPC in WordPress. Set it and forget it.
Adding a Code Snippet to Your Theme’s Functions.php File
What you’re going to do here is to add the following code snippet into your theme’s functions.php file:
As you can see, this is the same as the code used in the site-specific plugin method. This code snippet is basically just what you need to disable XML-RPC, you just need to know where to put it, and in this method, we are going to put it in your theme’s functions.php file.
To do that, go to Appearance > Editor.
Then, find Theme Functions (functions.php) from the list of theme files on the right side of the screen and click it to bring it to the editor window.
Now that the functions.php file is in the editor window, scroll down to the very bottom and paste the code snippet there (if your theme’s functions.php has a “?>” aka closing PHP tag at the end, place the code snippet before the closing PHP tag).
Save the file and you are done.
Note: if you are going to edit your theme’s functions.php file, it’s better to create a child theme and put your changes there instead. This way, any changes that you make and/or customizations that you add to your theme’s files won’t be lost when it updates to a newer version.
Using .htaccess File
Finally, the last way to disable XML-RPC is via the .htaccess file. Disabling it this way is better if you want to be able to add IP addresses that can access the XML-RPC feature (i.e. a whitelist).
To add a filter that blocks WordPress XML-RPC requests, copy the following code snippet, and paste/add it into your .htacess file:
# Block WordPress xmlrpc.php requests
deny from all
allow from 188.8.131.52
To add an IP address to the whitelist, simply edit the line where it says allow from 184.108.40.206, and replace 220.127.116.11 with the IP address of the site or service that you want to be able to access XML-RPC.
Why disable XML-RPC, you ask? Why should this feature be optional? XML-RPC is only useful if you want to use the official WordPress’s mobile app or if you want to use weblog clients to publish posts remotely to your site. This protocol is also used by IoT services like IFTTT and by Jetpack. If you don’t use any of these services and tools, then leaving XML-RPC enabled is like inviting hackers to attack your site.
In reality, XML-RPC is just another security hole for hackers to exploit. DDoS and brute force attacks can be successfully carried out through the use of the XML-RPC protocol. The best way to deal with it is to disable it completely, or use the .htaccess method and configure it to allow only your specified IP addresses.