What is system.multicall and why is it dangerous?

system.multicall bundles multiple XML-RPC calls into one HTTP request. Attackers use it to send up to 1,999 password guesses per request, bypassing rate limiting and CAPTCHA protections that only see one request.

How Do I Disable XML-RPC in WordPress?

Q: Does WP Ghost delete the xmlrpc.php file?

No. The file stays on your server. WP Ghost blocks access through URL rewrite rules that return a 404. Deactivating WP Ghost restores access instantly.

Q: Does WP Ghost modify WordPress core files?

No. WP Ghost uses rewrite rules and WordPress filters. No core files are modified.

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

Go to WP Ghost > Change Paths > API Security, switch on Disable XML-RPC Access, and click Save. That is it. The xmlrpc.php file will return a 404 error for all requests, blocking brute force amplification attacks, pingback DDoS abuse, and username enumeration through this endpoint.

Why You Should Disable XML-RPC

XML-RPC is WordPress’s legacy remote communication protocol. It was built before the REST API existed and is rarely needed on modern sites. The problem is that it is still active on every default WordPress installation, and it has almost no built-in security controls: no rate limiting, no CAPTCHA, and no login attempt tracking.

The biggest risk is brute force amplification. The system.multicall method lets attackers bundle hundreds of password guesses into a single HTTP request, up to 1,999 attempts per call in known exploit tools. Standard login protections on /wp-login.php see one request instead of 2,000, so rate limiting, CAPTCHA, and failed login tracking are completely bypassed. Attackers have shifted to targeting XML-RPC specifically because most security plugins don’t monitor it.

On top of brute force, XML-RPC can be abused for DDoS amplification through the pingback.ping method, username enumeration through wp.getUsersBlogs, and CMS confirmation (a responsive xmlrpc.php is one of the primary signals WPScan uses to identify WordPress). Disabling it eliminates all of these attack vectors at once.

How to Disable XML-RPC with WP Ghost

First, make sure Safe Mode or Ghost Mode is active. Go to WP Ghost > Change Paths > Level of Security and select either option if you haven’t already.

Then go to WP Ghost > Change Paths > API Security. Switch on Disable XML-RPC Access and click Save. The xmlrpc.php file now returns a 404 for all requests. No .htaccess editing, no code snippets, and no manual file changes needed.

For complete API security, also consider changing the REST API path and disabling the RSD endpoint in the same API Security section. See the Disable XML-RPC Access tutorial for the full walkthrough, and the Change REST API Path tutorial for REST API protection.

After saving, verify the change by going to WP Ghost > Security Check and running a scan. You can also check manually: visit yourdomain.com/xmlrpc.php in a private browser window. If you see a 404 instead of “XML-RPC server accepts POST requests only,” the protection is active.

Jetpack and Other Plugin Compatibility

Most modern WordPress plugins use the REST API, not XML-RPC. The notable exception is Jetpack, which relies on XML-RPC for some communication with WordPress.com servers. If you use Jetpack and need to keep XML-RPC accessible to its servers while blocking everyone else, you can whitelist Jetpack’s IP ranges in your .htaccess file. See the full XML-RPC tutorial for the exact configuration. If you don’t use Jetpack, just disable XML-RPC entirely.

The WordPress mobile app also used to rely on XML-RPC, but current versions use the REST API. Update to the latest app version before disabling XML-RPC.

Frequently Asked Questions

Do I need XML-RPC for anything on a modern WordPress site?

Almost certainly not. The REST API has replaced XML-RPC for every modern use case: remote publishing, mobile apps, third-party integrations, and admin automation. Unless you specifically use Jetpack features that require it or an older remote publishing tool, you can safely disable it.

Does disabling XML-RPC affect WooCommerce?

No. WooCommerce uses the REST API, not XML-RPC. Cart, checkout, product pages, and all WooCommerce functionality are completely unaffected.

What is the difference between XML-RPC and the REST API?

Both allow remote communication with WordPress, but they are different systems. XML-RPC is the legacy protocol using a single endpoint (xmlrpc.php) with no built-in security controls. The REST API is the modern replacement with JSON-based communication, authentication tokens, and nonce verification. WP Ghost lets you secure both: disable XML-RPC entirely and change or restrict the REST API path.

Does WP Ghost delete the xmlrpc.php file?

No. WP Ghost never modifies or deletes any file. The xmlrpc.php file stays on your server. WP Ghost blocks access through URL rewrite rules that return a 404 for all requests to that file. Deactivating WP Ghost restores access instantly.

Does WP Ghost modify WordPress core files?

No. WP Ghost uses rewrite rules and WordPress filters for all its security features. No core files, plugin files, or theme files are modified.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.