Should you disable xmlrpc.php in WordPress

WordPress has always had inbuilt features that let you remotely interact with your site. Face it, sometimes you’ll need to access your website and your computer won’t be anywhere nearby. For a long time, the solution was a file named xmlrpc.php. But in recent years, the file has become more of a pest than a solution.

What Is Xmlrpc.php?

XML-RPC is a feature of WordPress that enables data to be transmitted, with HTTP acting as the transport mechanism and XML as the encoding mechanism. Since WordPress isn’t a self-enclosed system and occasionally needs to communicate with other systems, this was sought to handle that job.

For example, let’s say you wanted to post to your site from your mobile device since your computer was nowhere nearby. You could use the remote access feature enabled by xmlrpc.php to do just that.

The core features that xmlrpc.php enabled were allowing you to connect to your site via smartphone, implementing trackbacks and pingbacks from other sites, and some functions associated with the Jetpack plugin.

The Reality of XMLRPC

For the most part, xmlrpc.php  is only truly useful if you’re planning to use mobile apps or remote connections to publish content on your website. As mobile use has been such a prevalent way to access the Internet, many people will use remote apps to make developing their WordPress sites much easier.

This is also one of the reasons why developers put so much effort into fixing the problems with this feature’s coding in the past.

However, not everyone will need this ability enabled. Many aspects of the system work very well and are easy to use on smartphones or tablets. This is especially true since the core of WordPress works exceptionally well in a mobile environment.

Method 1: Disabling Xmlrpc.php With Plugins

Disabling XML-RPC on your WordPress site couldn’t be easier.

Simply navigate to the Plugins › Add New section from within your WordPress dashboard. Search for Disable XML-RPC and install the plugin that looks like the image below:

Activate the plugin and you’re all set. This plugin will automatically insert the necessary code to turn off XML-RPC.

However, keep in mind that some existing plugins may utilize parts of XML-RPC, so disabling it completely could cause a plugin conflict or certain elements of your site to no longer function.

If you’d want to only turn certain elements of XML-RPC off, but still allow certain plugins and features to work, then use the following plugins instead:

• Stop XML-RPC Attack. This plugin will stop all XML-RPC attacks, but it’ll continue to allow plugins like Jetpack, and other automatic tools and plugins to retain access to the xmlrpc.php file.
• Control XML-RPC Publishing. This allows you to retain control and use over the remote publishing option afforded by xmlrpc.php.

Method 2: Disabling Xmlrpc.php Manually

If you don’t want to utilize a plugin and prefer to do it manually, then follow this approach. This will stop all incoming xmlrpc.php requests before it gets passed onto WordPress.

Open up your .htaccess file. You may have to turn on the ‘show hidden files’ within file manager or your FTP client to locate this file.

Inside your .htaccess file, paste the following code:

Contact our support if you require assistance making this change Support

When Will I Need to Enable XMLRPC On My Site?

If you use, or are planning to use, a remote system to post content to your site, you will need this feature enabled. Otherwise, you won’t be able to make remote connections through the system. If you disabled the feature and found that some of your plugins or other tools no longer work, you will need to re-enable it to continue using those additions.

Not everyone will need xmlrpc.php turned on within WordPress for it to function properly. In fact, a lot of you may never use this feature at all. If you’re worried about additional security issues, it’s in your best interest to disable this feature until you absolutely need it.