Home Website TutorialsWordPress How to disable XML-RPC on WordPress

How to disable XML-RPC on WordPress

by Thạch Phạm
Published: Last Updated on

What is XML-RPC?

XML-RPC is to use WebService (soap) protocol that uses XML to encode and exchange data (Remote Procedure Call XML) and can support APIs of CMSs such as WordPress API, Blogger API, ..XML feature -RPC has been enabled by default in WordPress since WordPress version 3.5, and the main reason for this is to allow the WordPress mobile app to communicate with your WordPress website.

So why disable XML-RPC?

In general, XML-RPC has more disadvantages than advantages, enabling XML-RPC can lead to exposure of vulnerabilities inside your WordPress website, and thereby can become the target of hacker attacks through some basic attacks such as DDoS using XML-RPC pingback, Brute force using XML-RPC. Therefore, you should disable XML-RPC to increase the security of your website. By default, AZDIGI Hosting will disable XML-RPC, but some providers will not disable this feature, so you need to disable it manually in a few ways below.

How to disable XML-RPC on WordPress

Method 1: Disable XML-RPC with the plugin

To disable XML-RPC on your website, you just need to install the plugin that supports disabling XML-RPC, I will make an example with iThemes Security Plugin, this is a popular WordPress security plugin and the most used.


After installing the plugin, you activate it and access Security => Setting => Advanced => WORDPRESS TWEAKS. Next, choose the customization you need and click Save.

  • Disable XML-RPC: XML-RPC is disabled, this option is recommended. If using Jetpack, WordPress Mobile apps, Pingback, and other services that use XML-RPC will not work.
  • Disable Pingbacks: disable Pingback only. XML-RPC features are still working properly. This option enables Jetpack features or the WordPress Mobile app to work.
  • Enable XML-RPC: XML-RPC is enabled. Only use this option if the website is forced to use XML-RPC.

Method 2: Disable XML-RPC with .htaccess file

To disable XML-RPC with the .htaccess file, you need to access the Host/VPS containing your website, then you access the root directory of the website, and choose to edit the .htaccess file.


Next, you need to add the code below:

<Files xmlrpc.php>
Order Allow,Deny
Deny from all

The structure when inserted will be as shown, click Save to apply the configuration.


Check the results

After you have configured ways 1 or 2, you can quickly check whether XML-RPC on the website has been successfully disabled by accessing the following syntax: https://yourdomain.com/xmlrpc .php, and the results you can distinguish according to the image below:


Above are some methods of disabling XML-RPC on the WordPress website that you can refer to and follow. Hope the article will help increase the security of your website.

Đánh giá

Tham gia nhóm hỗ trợ Server - Hosting

Tham gia nhóm Hỗ trợ Server - Hosting & WordPress để cùng nhau hỏi đáp và hỗ trợ các vấn đề về WordPress, tối ưu máy chủ/server.

Tham gia ngay

Bài viết cùng chuyên mục

AZDIGI – Không chỉ là đơn vị hàng đầu trong lĩnh vực Web Hosting và Máy chủ, chúng tôi mong muốn mang lại những kiến thức bổ ích nhất và luôn cập nhật thường xuyên cho cộng đồng người đam mê thiết kế website, công nghệ,…

Vui lòng không sao chép nội dung nếu chưa xin phép. Designed and Developed by PenciDesign