Skip to contentSkip to main navigation Skip to footer

Should You Disable XML-RPC on WordPress?

XML-RPC on WordPress is actually an API or “application program interface“. It gives developers who make mobile apps, desktop apps, and other services the ability to talk to your WordPress site. The XML-RPC API that WordPress provides gives developers a way to write applications (for you) that can do many of the things that you can do when logged into WordPress via the web interface.

These include:

  • Publish a post
  • Edit a post
  • Delete a post.
  • Upload a new file (e.g. an image for a post)
  • Get a list of comments
  • Edit comments

For a full list of the WordPress API functions available to developers via XML-RPC, take a look at this page on the WordPress codex.

If you disable the XML-RPC service on WordPress, you lose the ability for any application to use this API to talk to WordPress.

Let’s use an example to illustrate: You have an app on your iPhone that lets you moderate WordPress comments. Someone advises you to disable XML-RPC. Your iPhone app suddenly stops working because it can no longer communicate with your website using the API you just disabled.

There are two common attacks on XML-RPC:

  • DDoS via XML-RPC pingbacks.
  • Brute force attacks via XML-RPC.

XMP-RPC & JetPack Plugin Compatibility:

To hide the XML-RPC from hackers but to let Jetpack IP addresses to access the website add this code in .htaccess at the beginning of the file:

<Files xmlrpc.php> 
Order allow,deny 
Allow from 192.0.64.1/192.0.127.254 
Deny from all 
Satisfy All 
ErrorDocument 403 http://127.0.0.1/ 
</Files>

Now whenever someone tries to directly access xmlrpc.php, they’ll see the 403 Forbidden error.

If you still want to disable XML-RPC, you can switch on this option in Hide My WP Ghost.