XML-RPC was disabled by default previously for security reason. However, since WordPress 3.5, the service is enabled by default, and there is no options to turn it off in the CMS dashboard.
Luckily, there is ways to disable the XML-RPC service in WordPress.
What is XML-RPC?
XML-RPC is a remote procedure call (RPC) protocol which uses XML to encode its calls and HTTP as a transport mechanism. In simpler words, it is a service that allows you to connect and publish posts from third party platforms like mobile phones, WordPress mobile app, and Windows Live Writer.
If you are not using these platforms to post articles to your WordPress sites, then you might want to disable this XML-RPC service.
How to Disable XML-RPC with Plugin
Disable XML-RPC WordPress plugin by Philip Erb as claimed by the author is able to turn off the XML-RPC service running on WordPress 3.5 and above. Here is the steps to activate the plugin:
- Upload the disable-xml-rpc directory to the /wp-content/plugins/ directory in your WordPress installation.
- Activate the plugin through the ‘Plugins’ menu in WordPress
- XML-RPC is now disabled!
- To re-enable XML-RPC, just deactivate the plugin through the ‘Plugins’ menu.
Let us know if this plugin still works on latest WordPress version!
How to Disable XML-RPC with .htaccess
Pretty easy. Just paste the following code in your .htaccess file. In the configuration of Apache 2.2 (or 2.4 with the legacy access control syntax module enabled) you could do it by adding:
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from 123.123.123.123
</Files>
Don’t forget to replace “allow from” IP address with yours.
Using Apache 2.4’s newer access control syntax, it will be:
<files xmlrpc.php>
Require all denied
</files>
That’s all for now. Let us know your thoughts! 🙂