Disable XML-RPC in WordPress

Disable XML-RPC in WordPress
5 (100%) 5 votes
Hackers are using the XML-RPC function in WordPress for DDoS botnet attacks as well as Brute Force attacks.

What is XML-RPC?

The XML-RPC function was originally designed to be used an intranet notification system for WordPress users. But few use it anymore due to spam.

Now it is being used primarily as a way to remote post to WordPress from mobile.

Some plugins and third-party applications use XML-RPC to deliver content from their servers to your site.


Do I need WordPress XML-RPC?

Most users don’t need WordPress XML-RPC functionality, and it’s one of the most common causes for exploits.

Some clients such as the official WordPress Mobile Apps and Blogger use XML-RPC requests to function.

All of the WordPress XML-RPC requests are remote POST requests to the xmlrpc.php script.

A full list of the different requests that can be made via XML-RPC can be found at XML-RPC WordPress API


Block WordPress xmlrpc.php requests with Disable XML-RPC Plugin

This plugin disables XML-RPC API in WordPress 4.5+, which is enabled by default.



Deepak the CTO of Innovative Hosting has over 5 years of expertise in the hosting and datacenter Industry! He likes writing blogs for simplifying latest technologies so that everyone can understand and relate to them in a better way. He loves learning about latest techie things.

innovative hosting

Leave a Reply