Does disabling XML-RPC improve site speed?

It can. If bots send large volumes of XML-RPC requests, each consumes server resources. Disabling returns an error immediately with minimal processing, freeing resources for visitors.

Should You Disable XML-RPC on WordPress?

Q: Should you disable XML-RPC on WordPress?

For most sites, yes. XML-RPC is a legacy API targeted for brute force amplification and DDoS attacks. WP Ghost disables it with a single toggle. If you use Jetpack or a service requiring XML-RPC, restrict access to specific IP ranges instead of disabling entirely.

Q: How do I know if anything on my site uses XML-RPC?

Disable XML-RPC and test for a few days. If nothing breaks, you don't need it. If something stops working, re-enable it and use IP restriction instead of full disabling.

Q: Is the REST API a replacement for XML-RPC?

Yes. The REST API provides all XML-RPC functionality plus more. Most modern plugins and apps use the REST API. Disabling XML-RPC does not affect REST API communication.

Q: Does WP Ghost modify WordPress core files?

No. XML-RPC is disabled through WordPress filters and server rewrite rules. The xmlrpc.php file is not deleted or modified. Re-enabling restores access instantly.

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

For most WordPress sites, yes. XML-RPC is a legacy API that most modern sites no longer need, and it is one of the most targeted endpoints for brute force and DDoS attacks. WP Ghost lets you disable XML-RPC with a single toggle. If you use Jetpack or a mobile app that relies on XML-RPC, you can keep it enabled but restrict access to specific IP ranges instead of disabling it entirely.

What XML-RPC Does

XML-RPC is a WordPress API that allows external applications to communicate with your site. Mobile apps, desktop publishing tools, and some plugins use it to publish posts, upload media, manage comments, and perform other actions remotely. It was the primary way to interact with WordPress programmatically before the REST API was introduced in WordPress 4.7.

Today, most applications have migrated to the REST API, which is more modern, more flexible, and better supported. XML-RPC is still available for backward compatibility, but fewer services depend on it. The main exceptions are Jetpack (which uses XML-RPC to communicate with WordPress.com servers) and some older mobile or desktop publishing apps.

Why XML-RPC Is a Security Risk

XML-RPC is one of the most exploited WordPress endpoints because of two specific attack types.

Brute force amplification via system.multicall. Unlike the login page where bots try one password per request, the XML-RPC system.multicall method lets attackers test hundreds of username/password combinations in a single request. This bypasses login rate limiting and reCAPTCHA because the attack never touches the login form. It is significantly faster and harder to detect than standard brute force attacks.

DDoS via pingback abuse. Attackers use the XML-RPC pingback feature to turn your site into a weapon against other sites. They send fake pingback requests to your xmlrpc.php, and your server sends the pingback traffic to the target site. Thousands of WordPress sites can be coordinated this way to create a distributed denial-of-service attack, and your server’s resources are consumed in the process.

How to Disable XML-RPC in WP Ghost

Go to WP Ghost > Change Paths > API Security and switch on Disable XML-RPC Access. Click Save. Requests to /xmlrpc.php will return an error, and the two attack vectors described above are eliminated. For the full XML-RPC configuration guide, see the Disable XML-RPC tutorial.

If You Need to Keep XML-RPC Enabled

If you use Jetpack or another service that requires XML-RPC, do not disable it entirely. Instead, restrict access to only the IP addresses that need it. For Jetpack, add the following to the beginning of your .htaccess file to allow only Automattic’s IP range while blocking everyone else:

<Files xmlrpc.php>
Order allow,deny
Allow from 192.0.64.1/192.0.127.254
Deny from all
Satisfy All
ErrorDocument 403 http://127.0.0.1/
</Files>

This keeps Jetpack working while returning a 403 Forbidden error to every other request. You can add additional IP ranges for other services that need XML-RPC access.

Frequently Asked Questions

How do I know if anything on my site uses XML-RPC?

Disable XML-RPC in WP Ghost and test your site for a few days. If nothing breaks (no mobile app errors, no plugin failures, no service disconnections), you do not need XML-RPC. If something stops working, re-enable it and use the IP restriction method instead of full disabling.

Is the REST API a replacement for XML-RPC?

Yes. The REST API (available since WordPress 4.7) provides all the functionality XML-RPC offered, plus much more. Most modern plugins and apps use the REST API. If you disable XML-RPC, the REST API continues working and handles remote communication for services like the WordPress mobile app (newer versions), Gutenberg, and most modern integrations.

Does disabling XML-RPC affect my site speed?

It can improve it. If bots are sending large volumes of XML-RPC requests to your server, each request consumes PHP and database resources. Disabling XML-RPC returns an error immediately with minimal processing, freeing up those resources for legitimate visitors.

Does WP Ghost modify WordPress core files?

No. Disabling XML-RPC in WP Ghost is done through WordPress filters and server rewrite rules. The xmlrpc.php file is not deleted or modified. Re-enabling the option restores XML-RPC access instantly.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.