XML-RPC is a stipulation that allows the interaction between WordPress and other systems. Nowadays, XML-RPC is considered a security loophole in WordPress, and hackers can easily exploit it by targeting xmlrpc.php for Brute Force attacks. Nevertheless, WordPress still maintains the XML-RPC to preserve backward compatibility. The use of XML-RPC has declined because of the better versatility of the REST API. Because the REST API has succeeded XML-RPC, you should now disable xmlrpc.php on your WordPress website for security reasons.
Is XML-RPC running on your WordPress website?
The first step is to know whether xmlrpc.php is running on your WordPress website. To check the XML-RPC status of your website, use the WordPress XML-RPC Validation Service. This tool will scan your website and tell you if xmlrpc.php is enabled.
Disable XML-RPC by adding code into the theme’s functions.php file:
Use the xmlrpc_enabled filter to disable xmlrpc.php. Add the below code to your functions.php file.
add_filter( 'xmlrpc_enabled', '__return_false' );It’s always a good practice to write a plugin instead of adding the code into the theme’s functions.php file directly.
Disable XML-RPC by adding code into the .htaccess file:
Alternatively, you can disable XML-RPC by editing the .htaccess file if your server supports it. For example, Apache and LiteSpeed server supports .htaccess file, but Nginx web server does not support .htaccess file.
In your .htaccess file, add this code:
# Disable xmlrpc.php requests
<Files xmlrpc.php>
Order Allow,Deny
Deny from all
</Files>Don’t forget to make a copy of the old .htaccess file before adding this code, just in case you run into any issues.
By disabling the XML-RPC, you can improve the security of your WordPress website.
