XML-RPC has been a part of WordPress for many years, originally created to facilitate remote interactions with your website. However, today it is better known as a frequent security vulnerability. This article explains what XML-RPC is, why WordPress sites use it, and why you should strongly consider disabling it.
XML-RPC stands for XML Remote Procedure Call. It’s a protocol allowing software applications to communicate remotely by sending XML-formatted requests via HTTP. WordPress included XML-RPC to allow remote publishing, site management, and integration with external applications.
Typical uses of XML-RPC include:
Despite its usefulness, XML-RPC turned into a popular target for hackers due to its susceptibility to specific kinds of attacks:
Hackers frequently exploit XML-RPC’s multicall method to attempt multiple logins in a single HTTP request, significantly speeding up brute-force attacks. Unlike the standard login page, this method allows thousands of password combinations to be tested in a very short time, without triggering most basic security measures.
Attackers can leverage XML-RPC pingback functionality, turning innocent websites into unwilling participants in distributed denial-of-service (DDoS) attacks. A single attacker can send requests to hundreds of WordPress sites, each of which then floods the target with traffic. This amplification effect makes the attack much harder to stop. According to Wordfence, this type of abuse has been documented since at least 2014 and remains active today.
Pingbacks and trackbacks, though originally meant to notify authors of linked content, became avenues for spam comments and unwanted traffic. Automated bots regularly scan for open xmlrpc.php endpoints to exploit this feature at scale.
If you notice any of the following, your site may already be under attack through this endpoint:
You can check your server logs directly or use a security plugin with a built-in log viewer to spot these patterns quickly. The sooner you catch the abuse, the less damage it causes to your site performance and reputation.
Disabling XML-RPC enhances your website’s security, providing immediate benefits:
WordPress security researchers at Patchstack consistently recommend disabling this feature on sites that do not actively rely on it, as part of a broader hardening strategy.
Plugins like BotBlocker include built-in options to disable XML-RPC safely with just one click. This is the recommended approach for non-technical users since it does not require editing any core files.
Add this code snippet to your .htaccess file in the website’s root folder:
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>
This approach works at the server level, blocking requests before they even reach WordPress. It is one of the most effective and lightweight ways to protect your site.
Alternatively, disable XML-RPC programmatically by adding to your theme’s functions.php:
add_filter('xmlrpc_enabled', '__return_false');
Keep in mind that this method filters requests at the WordPress application level, which means the server still receives and processes each request before turning it away. For high-traffic sites, the .htaccess method is generally more efficient.
In most cases, disabling XML-RPC won’t affect site functionality for regular users. However, if you use Jetpack, the WordPress mobile app, or third-party blogging tools, consider these points:
The best strategy is often selective disabling:
This way you keep the integrations that matter to your workflow while shutting the door on bots and unknown sources. For most small and medium-sized WordPress sites, a complete block is perfectly safe and brings clear security gains with no noticeable drawbacks. For larger operations that depend on external publishing tools, selective rules give the right balance between access and protection.
Plugins like BotBlocker Pro offer easy configuration options to selectively manage XML-RPC access safely.