Should You Disable XML-RPC on WordPress?

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

Yes, for most WordPress sites. XML-RPC is a legacy protocol that most modern sites don’t need. The REST API has replaced it for every common use case. But XML-RPC is still active by default, and attackers exploit it heavily: a single HTTP request through system.multicall can send up to 1,999 password guesses at once, bypassing login rate limiting and CAPTCHA. WP Ghost disables it with one toggle.

What Is XML-RPC and What Does It Do?

XML-RPC is a remote communication protocol that lets external applications interact with your WordPress site. It’s handled by a single file: xmlrpc.php. It was WordPress’s original API, predating the REST API by years. It was designed for publishing posts from mobile apps, managing multiple sites from a single dashboard, enabling trackbacks and pingbacks, and allowing third-party tools to talk to WordPress remotely.

Today, the REST API (/wp-json/) does everything XML-RPC did, with better security, proper authentication, and broader developer support. XML-RPC is effectively obsolete for modern WordPress usage.

Why Is XML-RPC Dangerous If Left Enabled?

XML-RPC is one of the most abused WordPress endpoints because of how it handles authentication combined with a feature called system.multicall:

Brute force amplification. The system.multicall method bundles multiple calls into one HTTP request. Attackers exploit this to send hundreds or thousands of username/password guesses in a single request. Instead of 500 separate login attempts (which security plugins would detect and block), an attacker sends one POST to xmlrpc.php containing 500 authentication attempts. Login rate limiters see one request, not 500. Publicly available exploit tools can send up to 1,999 attempts per request.

DDoS amplification through pingbacks. The pingback.ping method can be abused to launch distributed denial-of-service attacks. An attacker sends fake pingback requests to thousands of WordPress sites, all pointing to a single target. Each site makes a request to the target, creating a massive amplified DDoS attack. Your site becomes an unwitting participant.

CMS fingerprinting. A responsive xmlrpc.php file that returns “XML-RPC server accepts POST requests only” immediately confirms WordPress to any scanner.

How Do I Disable XML-RPC with WP Ghost?

One toggle. Go to WP Ghost > Change Paths > API Security. Switch on Disable XML-RPC Access. Click Save. The xmlrpc.php file now returns a 404 for all requests. No .htaccess editing, no code snippets needed.

To verify, open a private browser and visit yourdomain.com/xmlrpc.php. If you see a 404 instead of the XML-RPC response, it’s working. You can also run a Security Check from WP Ghost > Security Check > Start Scan to confirm.

For complete API security, also consider changing the REST API path and disabling the RSD endpoint in the same API Security tab. For the full guide, see the disable XML-RPC tutorial.

When Should I NOT Disable XML-RPC?

Only keep XML-RPC enabled if you specifically use a tool or plugin that requires it. The most notable case is Jetpack, which uses XML-RPC for some of its communication with WordPress.com servers. If you use Jetpack, you can whitelist its IP ranges while blocking everyone else. The disable XML-RPC tutorial includes the specific IP ranges to whitelist.

The current WordPress mobile app uses the REST API and works fine without XML-RPC. Older versions of the app relied on XML-RPC, so update to the latest version before disabling. WooCommerce uses the REST API exclusively and is completely unaffected by disabling XML-RPC.

Frequently Asked Questions

What’s the difference between XML-RPC and the REST API?

Both allow remote communication with WordPress, but they’re different systems. XML-RPC uses a single file (xmlrpc.php) with XML-encoded requests and minimal security controls. The REST API uses URL-based endpoints (/wp-json/) with JSON data, proper authentication, and permissions. The REST API is the modern replacement. For complete API security, secure both: disable XML-RPC and change the REST API path.

Does disabling XML-RPC affect WooCommerce?

No. WooCommerce uses the REST API (/wp-json/wc/v3/), not XML-RPC. Disabling XML-RPC has zero impact on cart, checkout, product pages, or any WooCommerce functionality.

Is this a free feature?

Yes. Disabling XML-RPC, changing the REST API path, and disabling the RSD endpoint are all included in WP Ghost Free with 115+ other security features.

Does WP Ghost modify WordPress core files?

No. WP Ghost doesn’t delete or modify the xmlrpc.php file. It blocks access through URL rewrite rules so all requests return a 404. Deactivating WP Ghost restores access to xmlrpc.php instantly.

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.

Necessary

Always Enabled

Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.