Looking for ways to implement WordPress disable XMLRPC?
XML-RPC is an outdated WordPress feature that most WordPress websites don’t need. Leaving the feature enabled poses a security risk. Hackers can use it to gain access to your website and use the site to carry out malicious deeds like storing pirated files, and attacking other websites, among other things.
So in this article, we will show you how to protect your website from hackers by disabling the XML-RPC.
Let’s get started.
What is XML-RPC?
The XML-RPC is an old WordPress feature that allowed WordPress to communicate with other systems.
So for instance, if you wanted to use applications like WordPress mobiles app, or Open Live Writer to publish articles on your website, you need XML-RPC to establish communication between the apps and the website.
That’s not all. During pingbacks and trackbacks, WordPress used XMLRPC to notify other websites that their content had been published. Services like IFTTT also needed XMLRPC to be able to connect to a WordPress website.
However, the feature is largely redundant now and has been replaced by the REST API. Like the XML-RPC, the REST API enables a WordPress website to connect with external systems.
All websites running on the latest WordPress core are powered by REST API. That said, WordPress is yet to eliminate XMLRPC from its core. This particular functionality is turned on by default since WordPress 3.5.
Now, when it comes to disabling XML-RPC, security experts recommend doing it not just because the feature is mostly redundant but because it poses a security threat. More on that in the next section.
Why is XML-RPC Dangerous?
Having the XMLRPC feature enabled on your WordPress website poses a security risk. It introduces security vulnerabilities that can be exploited by hackers to gain access to your website.
For instance, pingbacks and trackbacks are powered by XMLRPC. Hackers can exploit XML-RPC to send tons of pingbacks to your website within a short period of time in the hopes of overwhelming and crashing your website. This type of hack attack is called DDoS attack.
Hackers can also implement brute force attacks using the xmlrpc.php file. Say you want to publish a post via the WordPress app. When you try to connect with your website using the app, an xmlrpc.php request is made. The request is authenticated with the help of a username and password. Once the authentication is complete, you can access your site and publish the post.
This is a great way to ensure that your workflow remains unhindered even if you can’t access your site via a laptop or desktop.
But the problem is that hackers can use this technique to access your site. All they need to do is try different combinations of username and password to find the correct credential.
To mitigate the risk of a hack attack, you need to disable XML-RPC on your WordPress website. In the next section, we will show you how to achieve that.
WordPress Disable XMLRPC: 2 Methods
There are two ways in which you can disable the XMLRPC from your WordPress website. You can either use a plugin or do it the manual way. In this section, we will show you how to implement both methods.
But before we start, take a backup of your entire website. In the following tutorial, you will need to install a new plugin or make modifications to your WordPress files. Such steps can end up breaking your website. If that happens, you can use the backup to restore the site back to normal.
Now, let’s begin with the tutorial.
Use Plugin to Disable XMLRPC
There are a number of dedicated plugins that you can use to disable the XMLRPC from your WordPress website.
But first, you might want to check if your security plugin has an option to disable the feature, assuming that you are using a security plugin on your site.
If the security plugin cannot remove XMLRPC or you are not using a security plugin in the first place, then go to your WordPress dashboard, install and activate any one of the following plugins:
Using these plugins is super easy. All you need to do is install any one of the plugins on your WordPress website and it will disable XML-RPC on its own.
Use Manual Method to Disable XML-RPC
Many of you probably don’t want to install more plugins on your WordPress site. In that case, try the manual method.
But know that the manual method is risky business as it involves modifying important WordPress files. A single mistake can break your website. You could lose access to your dashboard.
Even if you are comfortable editing WordPress files, we recommend proceeding with caution.
To disable XML-RPC manually, you need to edit your .htaccess file. Here’s how:
Disable XMLRPC via .htaccess File
Log into your hosting account and go to cPanel. In there, select File Manager and then look for the public_html folder. Inside this folder, you should find the .htaccess file.
Right-click on the file and select the Edit button. Next, scroll down to the end of the file and insert the following code snippet:
# Block WordPress xmlrpc.php requests
deny from all
Don’t forget to hit the Save button before exiting.
With the help of this code snippet, you are disabling XMLRPC completely. But if you want to deny most XML-RPC requests and still be able to use an app or two, then there is a way to achieve that.
If you can learn the IP address of the app, then insert the following code snippet:
# Block WordPress xmlrpc.php requests order deny,allow deny from all allow from 126.96.36.199
In the code snippet, we are using a fake IP address for demonstration purposes. Make sure to replace it with the app’s IP address.
On your hosting account, if you don’t have access to your cPanel, then use an FTP client like Filezilla to modify the .htaccess file. Here’s a guide that’ll help you set up Filezilla.
Disable XML-RPC Using Filter
Developers who can create a custom plugin can use the following filter:
That’s it. Those are the steps you need to take to disable XMLRPC from on WordPress website.
Testing XML-RPC Functionality
The easiest way to test if the XML-RPC has been disabled on your website is by installing the WordPress app on your smartphone and trying to log into your site.
You will be blocked from accessing your site and you are likely to see an “XML-RPC services are disabled on this site” message on the login page.
If you failed to disable the feature, then seek help from your hosting provider.
The XML-RPC, although a helpful feature in the past is more of a threat these days. Disabling it will close a door that a potential hacker may exploit to hack your WordPress website.
Disabling XMLRPC is super easy if you are using a plugin. But if adding more plugins to your site is something you want to avoid then you can insert a code snippet in your .htaccess file.
You can also create a custom plugin and use a filter to implement WordPress disable XMLRPC.
That’s it for this one folks! If you have any questions about how to disable XML-RPC on your WordPress website, let us know in the comment section below. Also, check out our blog for more tutorials on WordPress.