• Skip to primary navigation
  • Skip to main content
  • Skip to footer

WPJohnny

WordPress Performance Guides and Reviews

  • Start a WordPress site
  • Hosting
  • Themes
  • Plugins
  • Blogging
  • Marketing

Block XML-RPC protocol in WordPress

WordPress hosting Apr 17, 2019 by Johnny 8 Comments

If you’re not using XML-RPC, you should disable it from your site to prevent bots/hackers from hacking your site or slowing down your site with repeat XML-RPC attacks. Usually, the biggest problem with XML-RPC attacks is not that they get in but that they bog down your server with so many blocked requests.

  • XML-RPC is used to commonly used to connect to your site and blog from an a mobile app or remote publishing service. If you never publish to your site from anywhere but directly in WordPress admin itself, you are fine to disable it!
  • You can easily block all xmlrpc.php requests using .htaccess to prevent them from even getting passed into WordPress. Don’t bother using a security plugin for this, they’re either slower to process the block or they essentially do the same by adding this same bit of code to your htaccess.

Apache/LiteSpeed servers can paste the following code in your .htaccess file (preferably at the very top):

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from 123.123.123.123
</Files>

Quick note…if you need to leave it on for certain IP, you can whitelist your IP and also Jetpack IP’s (if you use it).

Nginx servers can paste the following code into the functions.php (submitted by Regev):

// Disables XML-RPC
add_filter( ‘xmlrpc_enabled’, ‘__return_false’ );

function disable_x_pingback( $headers ) {
unset( $headers[‘X-Pingback’] );

return $headers;
}
add_filter( ‘wp_headers’, ‘disable_x_pingback’ );

add_filter( ‘xmlrpc_methods’, function( $methods ) {

unset( $methods[‘pingback.ping’] );

return $methods;

} );

Reference link to learn more about XML-RPC:

  • https://www.wpbeginner.com/plugins/how-to-disable-xml-rpc-in-wordpress/

Share this post:

Share on FacebookShare on X (Twitter)Share on LinkedInShare on WhatsAppShare on EmailShare on SMS

Read all my posts on WordPress hosting

About Johnny

Right on the edge of WordPress development! 10+ years of WordPress design, development, hosting, speed optimization, product advisor, marketing, monetization. I do all that.

More WordPress Guides

Apache vs NGINX Comparison – use either but NOT BOTH!

What was your first breakthrough in making money online?

Greenshift – Gutenberg pagebuilder blocks (with animation)

Why LiteSpeed Cache is the #1 cache plugin for me

5 Ways to Grow Your WordPress Blog Traffic

“PLANS” vs “PRICING” – verbiage comparison

Reader Interactions

8 Comments

  1. Regev

    June 16, 2020 at 1:19 pm

    If on an NGINX server (which doesn’t have htaccess), put this in your functions file instead:

    // Disables XML-RPC
    add_filter( ‘xmlrpc_enabled’, ‘__return_false’ );

    function disable_x_pingback( $headers ) {
    unset( $headers[‘X-Pingback’] );

    return $headers;
    }
    add_filter( ‘wp_headers’, ‘disable_x_pingback’ );

    add_filter( ‘xmlrpc_methods’, function( $methods ) {

    unset( $methods[‘pingback.ping’] );

    return $methods;

    } );

    Reply
    • Johnny

      June 17, 2020 at 1:55 am

      Thank you for this. I’ll add it to the guide.

      Reply
  2. Vadim

    April 18, 2021 at 7:35 pm

    can It be set to the mu-plugins folder instead of functions.php for the NGINX server and how to check if the Block XML-RPC protocol is active?

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Footer

More links

  • Gadget reviews
  • Try my free WPJ plugins
  • Join the WPJ FB Group
  • WPJ YouTube & newsletter
  • Become a WPJ Affiliate

Popular Reviews

  • Best WordPress Hosting
  • Best WordPress Themes
  • Best WordPress Plugins
  • Best WordPress Cache Plugins

Services

  • Speed optimization
  • Speed optimization courses
  • WordPress hosting
  • Hire me or other experts
  • Client login

About Johnny

10+ years of WordPress design, development, hosting, speed optimization, marketing.
Contact me.

newsletter block

Copyright 2025 | WordPress guides by Johnny Nguyen

Click to Copy