InspectWP Logo
Glossary

What is XML-RPC?

February 8, 2026

XML-RPC is one of those WordPress features that most site owners have never heard of, yet it has been running quietly in the background of almost every WordPress installation for over a decade. The file xmlrpc.php sits in the root directory and accepts requests from the outside world. Originally, it was the only way to manage a WordPress blog remotely. Today, it is mostly a security liability that attackers love to exploit.

What XML-RPC Does in WordPress

XML-RPC stands for Extensible Markup Language – Remote Procedure Call. In simple terms, it is a way for external software to talk to your WordPress site over HTTP. The external application sends a specially formatted XML request to yoursite.com/xmlrpc.php, WordPress processes it, and returns an XML response.

Through this interface, remote clients can do things like:

  • Create, edit, and delete posts and pages
  • Upload images and other media
  • Moderate and manage comments
  • Pull site configuration and metadata
  • Send and receive pingbacks between blogs

Think of it as a primitive API, functional but designed in an era before REST APIs were common.

XML-RPC vs. REST API: From Essential to Obsolete

Back in the mid-2000s, if you wanted to write a blog post from your phone or a desktop app like Windows Live Writer, XML-RPC was your only option. WordPress adopted the MetaWeblog API and the Blogger API, both built on XML-RPC, to let these tools communicate with your site.

Then in 2016, WordPress 4.7 shipped with the REST API built in. Suddenly there was a modern, standardized way to interact with WordPress, one that uses JSON instead of XML, supports proper authentication, and is far easier to work with. From that point on, XML-RPC became a relic. Most modern plugins, apps, and integrations use the REST API exclusively.

XML-RPC Security Risks: Brute Force, DDoS, and More

The file is publicly accessible by default on every WordPress site. That alone is not great, but the real issues go deeper:

  • Brute-force amplification: XML-RPC has a method called system.multicall that lets you bundle hundreds of requests into one. An attacker can test 500 username-password combinations in a single HTTP request. Many login-protection plugins do not even see this happening because they only monitor wp-login.php.
  • Pingback abuse: The pingback feature can be weaponized for DDoS attacks. An attacker tells thousands of WordPress sites to "ping" a target server, effectively turning innocent sites into a botnet. This has happened repeatedly in real-world attacks.
  • Username enumeration: Even without valid credentials, XML-RPC responses can confirm whether a username exists, giving attackers half the information they need.
  • Unnecessary attack surface: Every publicly accessible endpoint that accepts authentication is a potential entry point. If you are not using XML-RPC, having it open is like leaving a door unlocked that nobody ever walks through.

Does Your WordPress Site Still Need XML-RPC?

The honest answer: almost nobody. There are a few edge cases:

  • Jetpack used to rely on XML-RPC heavily, but has been moving to the REST API. Newer Jetpack versions work without it for most features.
  • Very old mobile apps: The current WordPress mobile app uses the REST API. Only outdated versions from before 2016 still need XML-RPC.
  • Legacy third-party tools: Some ancient IFTTT recipes or publishing platforms might still use it, but alternatives exist for all of them.

If none of these apply to you, there is no good reason to keep XML-RPC enabled.

How to Disable XML-RPC in WordPress

The quickest method is a filter in your theme's functions.php or a custom plugin:

add_filter('xmlrpc_enabled', '__return_false');

This disables the XML-RPC methods but still returns a response from the file. To block access entirely at the server level, add this to your .htaccess:

<Files xmlrpc.php>
  Require all denied
</Files>

Or if you are on Nginx:

location = /xmlrpc.php {
  deny all;
  return 403;
}

Many security plugins (Wordfence, iThemes Security, Sucuri) also offer a toggle to disable XML-RPC with one click.

Detect an Open XML-RPC Endpoint with InspectWP

InspectWP checks whether your xmlrpc.php endpoint is reachable from the outside. If it responds to requests, the report flags it and explains why you should consider disabling it, especially if your site has no legitimate reason to keep it active.

Previous article

What is Hreflang?

Next article

What are Cookie Security Flags?

Related Articles

What is a Web Application Firewall (WAF)?

What are Core Web Vitals?

What is WordPress Multisite?

View all articles

Check your WordPress site now

InspectWP analyzes your WordPress site for security issues, SEO problems, GDPR compliance, and performance — for free.

Analyze your site free