XML-RPC (Extensible Markup Language – Remote Procedure Call) is a protocol that allows external applications to communicate with WordPress over HTTP. It was originally designed to let users publish blog posts from desktop apps and mobile devices before the modern REST API existed.
How XML-RPC Works
XML-RPC provides a single endpoint at yoursite.com/xmlrpc.php that accepts XML-formatted requests. External applications send commands to this endpoint, and WordPress processes them and returns XML-formatted responses. The protocol supports operations like:
- Creating, editing, and deleting posts and pages
- Uploading media files
- Managing comments
- Retrieving site information
- Pingbacks and trackbacks between blogs
Historical Context
XML-RPC was essential in the early days of WordPress (pre-2015) when there was no REST API. Applications like Windows Live Writer, the WordPress mobile app (older versions), and blogging clients relied on it entirely. With the introduction of the WordPress REST API in version 4.7 (2016), XML-RPC became largely obsolete for most use cases.
Security Risks
XML-RPC is a significant security concern for several reasons:
- Brute force amplification — The
system.multicallmethod allows attackers to test hundreds of username/password combinations in a single HTTP request, bypassing many rate-limiting protections. - DDoS via pingbacks — Attackers can abuse the pingback feature to launch distributed denial-of-service attacks using your server as an amplifier.
- Information disclosure — XML-RPC can reveal valid usernames and other site information.
- Large attack surface — A single endpoint that accepts authentication and performs write operations is an attractive target.
Who Still Needs XML-RPC?
Very few modern setups require XML-RPC:
- Jetpack — Jetpack uses XML-RPC for some features (though it's transitioning to the REST API).
- Older mobile apps — Very old versions of the WordPress mobile app.
- Legacy integrations — Some older IFTTT recipes or third-party publishing tools.
If you don't use any of these, you should disable XML-RPC entirely.
How InspectWP Helps
InspectWP checks whether your xmlrpc.php endpoint is accessible and reports its status. If it's enabled and you don't need it, the report flags it as a security concern with guidance on how to disable it.