What is xmlrpc.php in WordPress? How to check and disable xmlrpc.php WordPress?
August 31, 2021

XMLRPC allows you to communicate with your WordPress website & allows remote connection to WordPress. Windows Live Writer can directly post blogs to WordPress using xmlrpc.php. In its early days, it was, however, disabled by default due to coding problems.

In this article, I will guide you about everything in XMLRCP.php WordPress e.g What is it? What is xmlrpc.php used for?, Security Risks, how to check and disable xmlrpc.php?

What is Xmlrpc.php?

An XMLRPC feature in WordPress facilitates the transfer of data, with HTTP serving as a transport mechanism and XML acting as an encoding mechanism. Many tools and publishing applications will not be able to access the website without it.

It’s a remote procedure calling using HTTP as the transport and XML as the encoding. The XMLRPC protocol was designed to be very simple, while allowing complex data structures to be transmitted, processed, and returned. WordPress allows you to interact with all of its basic content types directly from the XMLRPC API:

  • posts
  • taxonomy
  • media
  • comments
  • users.

Why And When Xmlrpc.php Was Created?

XMLRPC was implemented in the early days of WordPress. These days it was common for people to write offline, then copy and paste their content into the web rather than using the browser. XMLRPC.php was introduced at the time and created an offline blogging client where you could compose your content, then publish it to your blog.

A switch was introduced in WordPress 2.6 that enabled or disabled XMLRPC in 2008. As soon as the WordPress iPhone app was released, XMLRPC support was turned on by default and was not able to be turned off.

What is the future of XMLRPC?

There are many new features coming to the WordPress software, including a WordPress REST API that will remove the need for the wp-xmlrpc.php file. WordPress now has a new API that is being used to replace XML-RPC connections to the website. Eventually, this new API will become the only way of connecting to our website.

There are still some issues with the new API, but compared to xmlrpc.php it offers a more robust, secure solution.

What is the cause to disable xmlrpc.php?

There are a number of reasons why you should disable xmlrpc.php on your WordPress site, including the fact that it introduces security vulnerabilities and can be targeted for attacks. There are two main weaknesses to XML-RPC which have been exploited in the past.

The first type of WordPress xmlrpc.php attack relies on Brute force, Brute force attacks are favorite for attackers because they allow them to bypass security tools that typically detect and block brute force attacks.

As for the second one, it was a WordPress xmlrpc.php DDoS attack that took sites offline. This attack involved using a feature of WordPress to send multiple pingbacks to various sites, causing the sites to crash.

Additionally, XML-RPC is no longer needed for communicating outside of WordPress, so there is no need to keep it active. That’s why disabling it will make your site more secure.

Methods to Disable xmlrpc.php?

In order to disable xmlrpc.php from your website, there are two main methods. These methods are outlined below.

1. Disable xmlrpc.php with a Plugin

With a plugin, it could be very simple to disable XML-RPC on a WordPress website.

Simply open your WordPress website as an administrator, and navigate to the Plugins › Add New section from within your WordPress dashboard.

Search for Disable XML-RPC and install the plugin that looks like the image below:


Activate the plugin, this will automatically insert the necessary code to turn off XML-RPC.

2. Disabling Xmlrpc.php Manually

Note: If you are not using CloudPages then we recommend that you use the method above. But you can still disable XML-RPC manually using any other control panel if you know how to edit your htaccess files. Please note that the rules below are not compatible with NGINX or OpenLiteSpeed, you will need LiteSpeed Enterprise or Apache webserver.

If you prefer not to use a plugin, you can also disable XMLRPC.php using htaccess rules.

So go to your server dashboard if you don,t have a server on cloud pages click here to deploy the server.

Navigate to List Websites -> Choose Website, here in the sidebar click on File Manager.

In the file manager you can see the all folder are shown as follow, Open public_html

here you can see .htaccess file is shown click on it.

This file will open in new window where you can edit the file:

Paste the following code at top of the file and click Save Changes.

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx

NOTE: Change xxx.xxx.xxx.xxx to the IP address you wish to allow access xmlrpc.php or remove this line completely.

Check If xmlrpc.php Running on Your WordPress Site?

The WordPress xmlrpc.php interface is always enabled by default. It’s active once you finish installing WordPress.

You can check whether xmlrpc.php is enabled on your site by using WordPress XML-RPC Validation Service. This will check your site and tell you if xmlrpc.php is enabled.  

Input the website URL in the address bar and provide WordPress Admin credentials below and click on check, it will then tell you whether XMLRPC.php is enabled or not.

if the XML-RPC is enabled it will show the following output else it will show error.

Habbi is support lead at CloudPages. He also loves to write about WordPress, SEO and Digital Marketing.

Recent Posts

Get Newsletter Updates

How to get Free Let’s Encrypt SSL?

How to get Free Let’s Encrypt SSL?

https://www.youtube.com/watch?v=cOh7owsO7es Several CloudPages users have been inquiring information about how SSL works. Therefore, we wrote this article and made a video so everyone can easily issue Let's Encrypt SSL from CloudPages. In this article, we will...

read more
Configuring public key authentication with Bitvise SSH Client

Configuring public key authentication with Bitvise SSH Client

For CloudPages installation or to perform any task with the server you often need server SSH access. The service provider may provide you the SSH access at the time of creating the server. You may know about different types of SSH clients and their use. SSH clients...

read more
How to set up QUIC.cloud CDN on WordPress

How to set up QUIC.cloud CDN on WordPress

QUIC.cloud is also a product of LiteSpeed Technologies. QUIC.cloud is the only content delivery network (CDN) which caches the dynamic pages of WordPress sites. It is said to be the only complete CDN for WordPress with full-page caching abilities. QUIC.cloud is used...

read more
How to set up Redis on your server?

How to set up Redis on your server?

CloudPages users often request a One-Click Redis installation feature. Our team is working hard and fast to release this feature as soon as possible. In this tutorial, we will teach you how to configure and use Redis manually, until the release is available. The...

read more



  1. Rochelle

    I’m not a techy person but this was well explained, it’s a useful plugin/feature, thanks for sharing

  2. Her Digital Coffee

    Thank you for sharing this incredibly informative article. I always love learning more about WordPress.

  3. Ellie

    Very interesting! I’ve never even heard of this but always looking for great WordPress tips.


Submit a Comment

Your email address will not be published. Required fields are marked *


Join Our Newsletter

Pin It on Pinterest

Share This