Disabling XML-RPC (xmlrpc.php) in WordPress

xmlrpc.php in WordPress provided the ability to use offline clients, in which administrators could create and edit entries and then publish them to the site using xmlrpc.php. Today, this tool is no longer relevant, moreover, it represents a potential vulnerability. Therefore, it is advisable to restrict access to xmlrpc.php.

Attackers often try to use this entry point to crack administrative site passwords or to launch DDoS attacks, which in turn leads to excessive resource usage and inaccessibility of your site.

By default, our shared hosting servers (cPanel and DirectAdmin) are filtering requests to xmlrpc.php. Thus, you do not need to disable it additionally.

But if your service is on shared hosting with an ISPmanager control panel or on a VPS service, then we have a couple of options for you to close access via xmlrpc.php

  • First, you need to understand if XML-RPC is enabled on your site.

You can check it using the XML-RPC Validator at http://xmlrpc.epizy.com/
Enter the address of your site in the Address field and click Check.

Depending on the result of the test, you conclude:

«Failed to check your site at [ссылка] because of the following error», xmlrpc.php is disabled on the website.

«Congratulation! Your site passed the first check», xmlrpc.php is enabled on the site and needs to be disabled.

  • There are a couple of ways to disable XML-RPC:

1. Add a rule in the .htaccess files of your site:

<Files xmlrpc.php>

order deny,allow

deny from all


2. Install the Disable XML-RPC plugin and activate it. It will specify the necessary settings and close access through xmlrpc.php.

Rate this article
Share this article
Notify of
Inline Feedbacks
View all comments
In this article