WordPress XML-RPC security: What Is XML-RPC in WordPress?
XML-RPC is a remote procedure call protocol that WordPress uses. It allows external applications to interact with your site. Mobile apps, desktop clients, and remote publishing tools use XML-RPC to post content. The protocol has been part of WordPress since version 1.5. It provides a way to connect without direct database access. However, XML-RPC also introduces serious security risks that every site owner should understand.
WordPress XML-RPC security: Common XML-RPC Security Risks
Credential Stuffing and Brute Force Attacks
Attackers abuse XML-RPC for credential stuffing. The system.multicall method allows many authentication attempts in one request. A single XML-RPC request can test hundreds of username and password combinations. This makes brute force attacks faster and harder to block. Standard login rate limiting will not stop these attacks. The requests hit xmlrpc.php directly, not wp-login.php. The Disable XML-RPC plugin or Disable XML-RPC Pingback plugin can help block abuse on this endpoint. Trusti Security (Premium) also includes a one-click XML-RPC disable toggle in its hardening settings.
Pingback Abuse for DDoS Attacks
The XML-RPC pingback feature can launch distributed denial-of-service attacks. Attackers send pingback requests from many compromised WordPress sites to a single target. The target site receives a flood of traffic from legitimate servers. This amplification effect makes the attack difficult to filter. The pingback feature also enables port scanning through WordPress. Attackers can probe internal networks using your site as a relay.
Unauthorized Content Manipulation
If an attacker gains access through XML-RPC, they can manipulate content remotely. They can create, edit, or delete posts and pages. Compromised accounts can modify user roles and permissions. Attackers can upload malicious files through XML-RPC endpoints. This level of access makes XML-RPC a prime target for automated attack scripts.
How to Check if XML-RPC Is Enabled
You can test if XML-RPC is active on your site easily. Visit https://yoursite.com/xmlrpc.php in a browser. If you see a plain text message or an XML response, XML-RPC is enabled and accessible. You can also send a simple POST request to check the endpoint. If it responds, attackers can reach it too. Many WordPress installations have XML-RPC enabled by default.
Safe Methods to Disable XML-RPC
Using a Security Plugin
The safest way to disable XML-RPC uses a dedicated security plugin. Trusti Security includes an XML-RPC toggle in its settings panel. You can enable or disable it with a single click. This approach works well for non-technical site owners. It requires no code changes and functions on any hosting environment.
Adding Code to Functions.php
You can disable XML-RPC by adding a filter to your theme functions.php file. Add this code to completely disable the XML-RPC protocol:
add_filter('xmlrpc_enabled', '__return_false');This code blocks all XML-RPC requests at the WordPress level. The endpoint still exists but returns no useful data. This method works well for sites that do not update frequently. Remember to use a child theme so updates do not remove your changes.
Using Server-Level Rules
Advanced users can block xmlrpc.php at the server level. For Apache servers, add this rule to your .htaccess file:
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>For Nginx servers, use this location block:
location = /xmlrpc.php {
deny all;
}Server-level blocking combined with a security plugin offers the most effective protection. It stops requests before they reach WordPress. This approach reduces server load and prevents all XML-RPC-based attacks completely.
When You Should Keep XML-RPC Enabled
Some WordPress features depend on XML-RPC. The Jetpack plugin uses it for many services. Mobile apps like the WordPress iOS and Android apps rely on it. Remote publishing tools such as MarsEdit and Open Live Writer require XML-RPC. If you need these services, do not disable XML-RPC entirely. Instead, use a security plugin for IP whitelisting and access restriction features.
Alternative: Restrict Instead of Disable
If you need XML-RPC, restrict access rather than disable it. You can block all XML-RPC requests except from trusted IP addresses. Some security plugins offer selective XML-RPC control with an easy toggle. You can keep pingbacks enabled while blocking authentication attempts. This approach reduces your attack surface without breaking essential workflows.
Monitoring XML-RPC Traffic
Even with XML-RPC disabled, you should monitor for abuse attempts. Attackers still probe for the endpoint. If you see a sudden spike in xmlrpc.php hits, it indicates an active attack. Trusti Security’s Admin Activity Log tracks user actions including login attempts and plugin changes. For XML-RPC-specific traffic monitoring, use server-level logging or a WAF solution. This visibility helps you detect targeted attacks early.
Common Myths About XML-RPC
Some site owners believe XML-RPC is safe if they use strong passwords. Strong passwords help but do not stop amplification attacks. Others think disabling XML-RPC breaks WordPress core features. WordPress core does not require XML-RPC to function. The block editor, plugin updates, and theme management all work without it. Another myth claims that removing xmlrpc.php provides permanent protection. WordPress core updates will restore the file. Always use filters or server rules for permanent protection.
Final Recommendations
Disable XML-RPC if you do not need remote publishing or app integration. Most WordPress sites will never use XML-RPC features. For the majority of site owners, disabling it removes a major attack vector without any downside. If you need XML-RPC, restrict it to known IP addresses or use a selective disabling plugin. Combine this with a comprehensive security solution like Trusti Security for layered protection across authentication, file integrity, and activity monitoring. Security is about reducing your attack surface. Removing XML-RPC is one of the easiest wins available.