R Web Hosting Blog

The latest news, step by step guides and top tips from our tech experts

What is WordPress XML-RPC – Why You Should Disable It?

What is WordPress XML-RPC

Table of Contents

If you have even the slightest knowledge of WordPress, you must know that this free content management system has various inbuilt features. Not only do these inbuilt plug-in architectures make user experiences a whole lot easier, but they also allow flexibility of usage. However, even the best of things have some catches, don’t they? So do many of these WordPress features! In this post let’s discuss whats is XML-RPC.

What is WordPress XML-RPC?

XML-RPC is one of the significant examples of such technical add-ons. This feature in the WordPress software allows users to access the site remotely. XML-RPC (Extensible Markup Language – Remote procedure call) works as a coding mechanism and supports data transmission throughout the process. The other technical structure – RPC or the Remote Procedure Cell works by transmitting the data using HTTP as a transport mechanism.

Too technical to understand, is it? Let me help you with an example! Imagine you are in a cafe and need to upload an article on your WordPress website, but you don’t have your laptop with you. So, you can access your WordPress using the remote access feature enabled by XML-RPC. It’s this simple!

Why Should You Disable XML-RPC?

Now, many people ask me whether XML-RPC is dangerous for WordPress or not. Well, the simple answer to the question is no! Because the feature itself causes no harm to your system! However, you do not have any need for it, either.

While the XML-RPC feature was pretty helpful for people a decade ago, the faster internet speed of the present era has taken over command from XML-RPC. And let’s not forget that every additional element on your website adds to hackers’ opportunities to break into your space. (We’ll talk about that in detail later!)

So, the best idea would be to disable it. And let me tell you that we are not the only ones to say this. WordPress has made the process easier for users to disable the XML-RPC if they do not need it. While the older WordPress versions lacked the feature of enabling and disabling XML-RPC manually, the latest version, 4.4.1, has disabled this feature by default.

However, the millions of users who still own the outdated version of the website should manually disable the XML-RPC feature for the sake of their device’s safety.

What are the Potential Risks of WordPress XML-RPC?

Potential risk of XML-RPC

But how exactly can hackers break into your system if you have WordPress XML-RPC enabled? Mentioned below are a few examples to give you a better idea:

  • If you have ever remotely accessed your WordPress to publish content, you must know that WordPress creates an XML-RPC request. You can verify the request by entering your username and password. Now, if hackers somehow get their hands on these particulars, they can get immediate access to your site.
  • Hackers may also use bots to try to guess your credentials. The XML-RPC function makes it easier for them to guess your username and password and gain access to your WordPress website.

Once hackers gain access to a WordPress website, they can exploit the XML-RPC feature and bring down the website by sending pingbacks from thousands of websites. This results in crashing the webserver.

How to Disable XML-RPC in WordPress?

So, if you don’t use RPC calls to update your WordPress website, go ahead and disable the XML-RPC function.

What’s that? You don’t know how to? Fret not, as I have mentioned the step by step procedure of disabling XML-RPC in WordPress both manually and through a plug-in.

Disable XML-RPC Using a Plug-in

A simple plug-in named ‘Disable XML-RPC’ can help you to disable the feature on your WordPress. Here’s how!

  • Log in to your wp-admin dashboard
  • Locate the ‘Plug-ins’ command on the left-hand menu. Click on it.
  • Select ‘Add new.’
  • Search for the ‘Disable XML-RPC’ plug-in. Install this plugin and activate it.
  • To enable XML-RPC on your WordPress, deactivate the plug-in following the same steps.

Disable XML-RPC Manually

If you want to disable XML-RPC manually, here’s how to do so!

  • Run a backup of your WordPress.
  • Login to your WordPress hosting and go to ‘cPanel.
  • Open the ‘File Manager’ and search for the ‘htaccess’ file.
  • Choose ‘Edit’ and paste the following code in the file:
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny, allow
deny from all
allow from xxx.xxx.xxx.xxx
  • Save and exit.

Replace xxx.xxx.xxx.xxx with an IP address you wish to grant remote access to xmlrpc.php. Remove this line to disable XML-RPC entirely.

Which option is better – Plug-in or Manual?

If you ask for my recommendation, I suggest that you go for the plug-in method. Not only does the plug-in makes the process faster, easier and simple, but it also makes the process risk-free. However, the choice is yours!


Minimize the risk of exposing your device as a defenceless device to hackers. While you can minimize this risk by setting up strong passwords, the best way to eliminate the potential security concern is by disabling XML-RPC! However, be aware that disabling XML-RPC does not guarantee overall protection to your WordPress.

Check out our WordPress web hosting packages designed to simplify, secure and speed up WordPress installation and management.

Latest Posts
Hot Topics