How to block XML-RPC on WordPress
XML-RPC allows communication between WordPress and other systems. Present since the beginning of WordPress, it has been used among others for exchanges with the mobile application, with other blogging platforms or the all-in-one plugin JetPack. The REST API has replaced the XML-RPC. The latter is therefore no longer useful and it is better to disable it, especially since it is sensitive to Brute Force and DDoS attacks due to its specificities. The REST API is totally stable since many versions of WordPress. The XML-RPC is certainly living its last days, it has become totally obsolete.
Disable XML-RPC with a plugin
The following plugins allow you to disable the xmlrpc.php. The first plugin is dedicated only to this task.
Disable XML-RPC (Philip Erb)
https://wordpress.org/plugins/disable-xml-rpc/
Disable XML-RPC-API (Neatmarketing)
https://wordpress.org/plugins/disable-xml-rpc-api/
Cerber Security, Anti-spam & Malware Scan (Cerber Tech Inc.)
Clearfy (Creative Motion)
Loginizer (Softaculous) in its pro version
Disable the xmlrpc.php via the .htaccess file
In your .htaccess file, you just have to add the following code:
# BEGIN Disable XML-RPC request
<Files xmlrpc.php>
order allow,deny
deny from all
</Files>
# END Disable XML-RPC
Disable xmlrpc.php on your server
If you are on a Nginx server, ask your system administrator to add the following code to the Nginx.config file:
# nginx block xmlrpc.php requests
location ~* ^/xmlrpc.php$ {
return 403;
}
Block xmlrpc.php with wp-config.php
You can also add a filter at the end of the wp-config.php file. This will disable the XML-RPC. Add the code below just after the last ABSPATH
statement:
add_filter('xmlrpc_enabled', '__return_false');
Disable the xmlrpc via the function.php file
Warning: this code has not been checked lately. To be tested on a site under development.
add_filter(‘xmlrpc_enabled’, ‘__return_false’);
// deactivate x-pingback HTTP header
add_filter(‘wp_headers’, function($headers) {
unset($headers[‘X-Pingback’]);
return $headers;
});
// deactivate pingbacks
add_filter( ‘xmlrpc_methods’, function( $methods ) {
unset( $methods[‘pingback.ping’] );
return $methods;
} );
remove_action( ‘wp_head’, ‘rsd_link’ );
How to test if the XML-RPC is disabled
Once the plugin is installed and configured or once you have used one of the other methods, you can check if the XML-RPC is blocked on the following website: https://xmlrpc.eritreo.it/. Enter the URL of your site in the Address field and click on Check. If the XML-RPC is blocked, you will obtain the following result:
Note that it is not wise to just delete the xmlrpc.php file from your WordPress folder. It is possible that this will cause errors on your website and the file will reintegrate the code during the next updates.