Should I turn WordPress XML-RPC on or off?
To decide whether to enable or disable XML-RPC in WordPress, check some of its pros and cons:
Keeping it turned on allows you to make changes to WordPress via the WordPress Admin Section remotely, using apps for web, Android, iOS, macOS, Windows, or Linux, and more. Depending on the app in question, writing, editing, publishing posts, editing or replying to comments, dealing with options, Media Library, WordPress users, and taxonomies.
Keeping XML-RPC enabled can pose a security risk. People with malicious intentions perform DDoS attacks, oftentimes by spamming or abusing the XML-RPC Pingback API. However, anti-spam WordPress plugins and things such as disabling WordPress comments can stop this from happening. The Pingback API can also increase the device’s CPU usage, slow down your website, or occupy some of its storage. Finally, perpetrators can attempt to brute-force their way in via remote access.
1. Enable XML-RPC in WordPress
For most WordPress webmasters, enabling XML-RPC in WordPress is unnecessary because it’s enabled by default since WordPress 3.5. To check, simply add xmlrpc.php after your WordPress website name. For example, “www.website-name.com/xmlrpc.php”.
Tip. In some cases, its functionality is turned off indirectly. Deactivate any plugins that have remote access functionality or transfers data externally. Also, temporarily disable any security plugins for WordPress you might have.
2. Disable XML-RPC in WordPress
Here are 3 ways to deactivate XML-RPC in WordPress:
1. Configure .htaccess file
We’ll start with the quickest and least resource-intensive method. Access your WordPress website via FTP, then open your .htaccess file in the root (or public_html, www, website-name) folder. Paste the following code at the end:
# Forbid xmlrpc.php requests <Files xmlrpc.php> order deny,allow deny from all allow from XXX.XXX.XXX.XXX </Files>
Note. Replace xxx.xxx.xxx.xxx with the IP address of a device you want to preserve access to XML-RPC for. If you want to stop access for everyone, delete the line.
2. Make your own WordPress plugin or add a code snippet
We already taught you how to make a site-specific WordPress plugin in the past. You can also use a code snippet plugin or edit the WordPress footer/header. Regardless of the method you go with, paste the following code:
add_filter ( 'xmlrpc_enabled', '__return_false' );
3. Use a third-party WordPress plugin
This is might be the most user-friendly method for new webmasters. It also allows a greater degree of control, as shown in the method below. With that said, do this to switch XML-RPC off via a WordPress plugin:
- Install a WordPress plugin with this functionality. We’ll use Disable XML-RPC-API (wordpress.org/plugins/disable-xml-rpc-api) for demonstration.
- Open the left sidebar in the WordPress Admin Dashboard and click on XML-RPC Security.
- Click on the XML-RPC Settings option on the left-hand side. When it expands, click on XMP-RPC.
- Toggle the XML-RPC API Master switch option to OFF.
- Optional. Visit “www.website-name.com/xmlrpc.php” in your browser to confirm it’s disabled. You should see the “403 Forbidden Error” page.
3. Keep XML-RPC activated with adjustments (Alternative)
Website owners are often in a tough spot. Should they lose crucial functionality to stop a brute-force or DDoS attack, or suffer in silence while enjoying the pros of XML-RPC? Well, with the plugin above (and similar ones), they don’t have to choose whether to enable or disable XML-RPC on WordPress. After following steps 1 through 3 above, a webmaster can:
- Toggle the master switch back to ON in step 4.
- Under Change XML-RPC slug, alter the WordPress slug from xmlrpc.php to anything they want.
- Under Disable Methods, put a checkmark in front of:
- Optional. Under Enable XML-RPC for: and Disable XML-RCP for: add IP addresses of devices they want to keep out or allow in.