XML-RPC (xmlrpc.php) is a legacy WordPress interface that allows remote communication. While it was useful before the REST API existed, it is now primarily an attack vector for brute force and DDoS amplification attacks.
Why Disable XML-RPC?
- Brute force attacks — Attackers can try hundreds of passwords in a single XML-RPC request using the
system.multicallmethod. - DDoS amplification — The pingback feature can be abused to launch DDoS attacks against other sites using your server.
- You probably don't need it — The REST API has replaced XML-RPC for most use cases. Only the Jetpack plugin and the legacy WordPress mobile app still require it.
Method 1: Disable via .htaccess
# Block access to xmlrpc.php
<Files xmlrpc.php>
Order deny,allow
Deny from all
</Files>Method 2: Disable via functions.php
// Disable XML-RPC
add_filter('xmlrpc_enabled', '__return_false');
// Remove the XML-RPC link from head
remove_action('wp_head', 'rsd_link');Method 3: Nginx
location = /xmlrpc.php {
deny all;
return 403;
}Check if You Need XML-RPC
Before disabling, verify you don't use any of these:
- Jetpack plugin (requires XML-RPC for some features)
- WordPress mobile app (legacy versions)
- Remote publishing tools that use XML-RPC
Verify
After disabling, try accessing https://yoursite.com/xmlrpc.php — you should get a 403 Forbidden error instead of the XML-RPC server response.