How to Disable XML-RPC in WordPress

What is XML-RPC?

According to Wikipedia, XML-RPC is a remote procedure call which uses XML to encode its calls and HTTP as a transport mechanism. In short, it is a system that allows you to post on your WordPress blog using popular weblog clients like Windows Live Writer. It is also needed if you are using the WordPress mobile app. It is also needed if you want to make connections to services like IFTTT.

If you want to access and publish to your blog remotely, then you need XML-RPC enabled.

In the past, there were security concerns with XML-RPC thus it was disabled by default. In his comment on trac ticket #21509, @nacin one of the core contributors of WordPress said:

Quite a bit has changed since we introduced off-by-default for XML-RPC. Their code has improved, and it is no longer considered a second-class citizen when it comes to API development, thanks to the work of a large team of awesome contributors. Security is no greater a concern than the rest of core.

There is no longer a compelling reason to disable this by default. It’s time we should remove the option entirely.

With the increasing use of mobile, this change was imminent. However some security cautious folks may say that while the XML-RPC’s security is not that big of an issue, it still provides an additional surface for attack if a vulnerability was ever found. Thus, keeping it disabled would make more sense.

To keep everyone happy, while the user interface option and the database option to turn off XML-RPC has been removed, there is a filter that you can use to turn it off if needed.

How to Disable XML-RPC in WordPress 3.5

All you have to do is paste the following code in a site-specific plugin:

add_filter(‘xmlrpc_enabled’, ‘__return_false’);

How to Disable WordPress XML-RPC with .htaccess

While the above solution is sufficient for many, it can still be resource intensive for sites that are getting attacked.

In those cases, you may want to disable all xmlrpc.php requests from the .htaccess file before the request is even passed onto WordPress.

Simply paste the following code in your .htaccess file:

# Block WordPress xmlrpc.php requests

order deny,allow
deny from all
allow from 123.123.123.123