Last week, a friend of mine asked me a question. Do you know what is XML-RPC? And how to disable XML-RPC in WordPress?

XML-RPC is a remote procedure call (RPC) protocol that uses XML to encode its calls and HTTP as a transport mechanism.

“XML-RPC” also refers generically to the use of XML for remote procedure calls, independently of the specific protocol.


Source:https://en.wikipedia.org/wiki/XML-RPC

Q2: know what that’s for?

If you want to access and publish your blog remotely, then you need XML-RPC enabled.

But like other things, it has both advantages and disadvantages. It still provides an additional surface for attack if a vulnerability was ever found. So keeping it disabled would make more sense.

How to Disable XML-RPC in WordPress

1. Install the plugin
You can just install the plugin called Disable XML-RPC.
Link: https://wordpress.org/plugins/disable-xml-rpc/

2. Paste the following code into your Theme Functions File

add_filter('xmlrpc_enabled', '__return_false')

3.Block WordPress xmlrpc.php requests with .htaccess
Simply paste the following code into your .htaccess file:

# BEGIN protect xmlrpc.php
<files xmlrpc="" php="">
order allow,deny
deny from all
</files>
# END protect xmlrpc.php

If you don’t use any mobile app or remote connections to publish on your blog, you can disable XML-RPC by default.