XML-RPC is an older built-in WordPress technology that was originally created to help external tools publish content or authenticate users remotely. Today it is rarely needed, yet most WordPress websites still have it enabled without knowing the security and performance risks it brings.
Bots often abuse XML-RPC to send thousands of login attempts or create artificial load on your hosting. If you want a safer, faster and more reliable website, disabling XML-RPC is one of the simplest steps you can take.
In this guide, you will learn what XML-RPC is, why you should disable it and multiple ways to disable it safely.
What Is XML-RPC in WordPress?
XML-RPC stands for XML Remote Procedure Call. It allows apps and services outside your website to talk to WordPress. Years ago, it was used by:
• Mobile apps
• Desktop publishing tools
• Jetpack’s older connection system
• Remote blogging tools
WordPress now uses the REST API for almost everything. XML-RPC remains active mostly for backward compatibility, even though very few websites rely on it.
The problem is that XML-RPC exposes functions like:
• Login authentication
• Pingbacks
• System.multicall
These can be abused heavily by bots.
Why You Should Disable XML-RPC?
Even though XML-RPC can be useful in niche situations, for most WordPress users today, it’s more of a liability than an asset.
Here are few reasons why you should disable XML-RPC:
1. Brute Force Amplification
Hackers can use system.multicall (a method within XML-RPC) to try thousands of passwords in a single HTTP request. That makes brute force attacks far more efficient than attacking the regular login form.
2. DDoS and Pingback Attacks
Attackers can exploit the pingback.ping method to turn your site into a bot in a DDoS attack against other sites.
3. Resource Drain
Even failed attempts hit your server, increasing load and consuming CPU or bandwidth especially dangerous on shared hosting or lower-tier VPS setups.
How to Check If XML-RPC Is Enabled?
Visit this URL in your browser:
https://yourwebsite.com/xmlrpc.php
If you see: “XML-RPC server accepts POST requests only” then your site has XML RPC enabled.
If the file is blocked or disabled, you will see a denial or 403 message.
How to Disable XML-RPC in WordPress?
I will walk you through some of the methods to disable XML-RPC for your WordPress website. These methods are safe and efficient:
Method 1: Disable XML-RPC using a Plugin (Recommended)
If you want quick simple way to disable XML-RPC, Perform WordPress Plugin is the most convenient and modern solution that I have developed.
Inside Perform, you can:
• Disable access to xmlrpc.php with one toggle
• Block system.multicall abuse
This gives you performance control and security in a single tool without editing files or using code.
This is the easiest and safest method for beginners and developers who want to manage everything from inside WordPress.
Method 2: Disable XML-RPC Using .htaccess (Apache Servers)
On Apache based hosting, you can block XML-RPC at server level. This removes the load before it reaches WordPress.
Add this to your .htaccess file:
<Files xmlrpc.php>
Order Allow,Deny
Deny from all
</Files>Save the file and XML-RPC is fully disabled.
Method 3: Disable XML-RPC on Nginx Servers
Add the following location block in your server configuration:
location = /xmlrpc.php {
deny all;
}Reload Nginx and XML-RPC is blocked instantly.
Method 7: Disable XML-RPC with a Code Snippet
You can disable it directly from WordPress with one line of PHP.
Add this to a plugin or your theme’s functions.php:
add_filter( 'xmlrpc_enabled', '__return_false' );This is a clean and simple way to disable the feature.
Method 6: Disable Only the Pingback Feature
If some tools rely on XML-RPC but you want to block only pingbacks, use this:
add_filter( 'xmlrpc_methods', function( $methods ) {
unset( $methods['pingback.ping'] );
return $methods;
} );This keeps limited functionality but prevents abuse.
Best Practices After Disabling XML-RPC
I have listed some of the best practices that you should follow after disabling XML-RPC for added security:
Enable a Firewall
Use Cloudflare or BunnyDNS that helps block bad traffic before it hits your server.
Turn Off Pingbacks and Trackbacks
Go to Settings > Discussion and disable both.
Keep WordPress Updated
Security issues mostly come from outdated versions, not core features. Keep the core, plugins, themes up to date. For technical help, reach out to me or checkout the maintenance plans.
Use Managed WordPress Hosting
Managed WordPress hosting reduces the impact of bot traffic and improves server stability so that you can focus on your business and don’t have to deal with servers.
Should You Disable XML-RPC on All WordPress Sites
Yes, Unless you know for sure that a tool depends on it, disabling XML-RPC is one of the most recommended baseline security steps.
Large agencies, enterprise teams and performance-focused developers disable XML-RPC on almost every site.
You get:
• better security
• fewer brute force attempts
• reduced CPU usage
• more stable performance
• no negative impact on normal functionality
Frequently Asked Questions
XML-RPC allows external apps to communicate with your WordPress site. It was used years ago for remote publishing but is rarely needed today. Most modern features rely on the REST API.
Yes. Almost all WordPress sites can safely disable XML-RPC. This prevents brute force attacks, reduces server load and improves security without affecting normal site functions.
Yes. XML-RPC is often targeted by automated bots. Blocking it reduces unnecessary requests, lowers CPU usage and improves overall site stability.
Yes. XML RPC serves no practical purpose for most modern workflows. Agencies, enterprise teams and performance focused businesses disable it as part of their standard setup.
Wrapping Up
XML-RPC is an legacy feature that most modern websites no longer need. It creates unnecessary security risks, waste server resources and is a common entry point for brute force attacks. Disabling XML-RPC makes your WordPress website safer and faster with almost no downside.
Whether you use Perform plugin to disable it or one of the other methods in this guide, you can secure your website in just a few minutes.
If you want help improving your website security, performance or reliability, you can explore my WordPress services or request a tailored solution for your business.
