What Is xmlrpc.php In WordPress

WordPress comes with built-in features that will help you to interact with your website remotely. Sometimes, you need to access your WordPress website and you don’t have your system (Computer).

For a long time, WordPress provided a solution called xmlrpc.php file. But in recent years this file solution becomes a vulnerability instead of a perfect solution.

Here, we will discuss xmlrpc.php in WordPress and what are the security issues of XMLRPC, and why we need to disable this option.

Table of Content

Why do we need to disable it?

The main reason for disabling the XML-RPC file on your WordPress website is because this file introduces different vulnerability attacks. Now, you can protect your WordPress website with strong passwords and different security plugins. But the best mode of website protection is to simply disable this feature on your WordPress site.

There are 2 main weaknesses of the XML-RPC feature in WordPress.

Brute Force Attack

Each time xmlrpc.php file creates a request to authenticate the User name and password, but other APIs don't. In fact, the other APIs send a token for authentication instead of a username and password.

Because the xmlrpc.php sends a request every time for the authentication of information and the hackers can use this information to access your website. Because, a brute force attack helps to insert, delete, and modify the website code or damage your website database.

If a hacker sends enough requests of different usernames and password pairs and there is a chance that they can easily hit on the right one and get access to your WordPress website. 

That’s why if you are using an up-to-date or latest version of WordPress on your website and using different Authentication APIs to communicate with external systems, then you have to disable this XML-RPC option on your WordPress website.

DDoS Attack (Pinbacks)

DDoS is a second attack that can occur if your site is xmlrpc.php enabled and your site will be taken down/offline through a DDoS attack. Because Pingback and trackback are features of xmlrpc.php. If your site is enabled xmlrpc.php, then a hacker can send a vast number of pingbacks to your WordPress site in a short period of time. This attack could overload your server and put your website out of action or down.

Method 1: Disable xmlrpc.php With WordPress Plugin

By installing the plugin to disable the XML-RPC is one of the easiest methods to disable the xmlrcp.php in WordPress website. You can easily disable the XML-RPC by using The LoginPress Pro Plugin. Simply you need to follow the given steps to disable the XML-RPC on your website with LoginPress.

1. Log in to your WordPress website Dashboard
2. Install and activate the LoginPress Pro version
3. Navigate to LoginPress → Settings
4. In the Settings window of LoginPress click on the Limit Login option

xmlrpc.php in wordpress settings

4. In the Limit Login Tab, you will have an option to Disable XML RPC Request.
5. Click on the Toggle button to disable the XML RPC option and click on the Save Changes button.

disable xmlrpc.php in wordpress

Method 2: Disable xmlrcp.php Manually

If you don’t want to use any plugin to disable the xmlrcp.php then you can disable XML-RPC manually through the .htaccess file of your website.

  1. Open the .htaccess file of your WordPress website
  2. Now copy and paste the given code to your .htaccess file

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx

Method 3: Disable xmlrcp.php from the theme.

If you want to disable the XMLRPC on the complete site then use this filter in your child theme's functions.php file.

add_filter( 'xmlrpc_enabled', '__return_false' );

This filter will disable the XML-RPC on your WordPress website.


The XML-RPC was created for WordPress website communication with external systems and applications. But due to its functionality means authentication process different security issues have occurred which means hackers can easily attack on your WordPress website.

But now current APIs help you to communicate with external systems & Application, in which they are using a token for authentication instead of using username and password. Now you can disable the xmlrcp.php in wordpress file for safe communication, just you need to follow the above methods to disable the XML-RCP, by disabling it you will improve the level of your website security.

That's all! You can also check out How to Find the WordPress Login URL (Easy Guide) and How to Easily Change the Login Logo in WordPress.

Not using LoginPress yet? What are you waiting for?


  1. Hi there! Someone in my Facebook group shared this site with us
    so I came to check it out. I’m definitely loving the information. I’m book-marking and
    will be tweeting this to my followers! Great blog and brilliant design.

Leave a comment

Your email address will not be published. Required fields are marked *