How to disable XML-RPC

Read First - Should You Disable XML-RPC on WordPress?

 

Options for disabling XML-RPC

  1. Plugin 'Wordfence Security'
  2. Plugin 'Disable XML-RPC-API'
  3. Theme Function
  4. Block all access to xmlrpc.php

 

1. Plugin 'Wordfence Security – Firewall & Malware Scan'

Wordfence is security plugin that provides many features including disabling 'XML-RPC' requests.

Wordpress Admin Dashboard -> Wordfence -> Login Security -> Disable XML-RPC authentication

 

2. Plugin 'Disable XML-RPC-API'

This plugin provides the basic features to disable 'XML-RPC' requests.

 

3. Theme Function

Edit your themes 'functions.php' file and add the following call/code to the end of the file.

add_filter('xmlrpc_enabled', '__return_false');

 

4. Block all access to xmlrpc.php

The above options disable access to the 'XML-RPC' functions of Wordpress, This does not stop the calls actually reaching 'xmlrpc.php'.

To fully stop/block access to 'xmlrpc.php', follow the following for Apache/Nginx

  • Apache (.htaccess)

    Add to your .htaccess file
    ​## block all access to XML-RPC requests
<Files xmlrpc.php>
  order deny,allow
  deny from all
  #allow from 123.123.123.123 # Add your IP here to whitelist access
</Files>


  • Nginx

    Add to your config
    ## block all access to XML-RPC requests
location = /xmlrpc.php {
  deny all;
}​

 

  • Security, XML-RPC
  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

How to disable pingbacks

What is a WordPress pingback? A WordPress pingback is a notification that WordPress sends to...

CVE-2022-3590 WordPress SSRF vulnerability

Situation WordPress instances below version 6.1.1 are vulnerable to CVE-2022-3590 when XML-RPC...