What is xmlrpc.php and what does it do?
The WordPress system comes with an XML-RPC protocol that allows external software to use WordPress services to publish posts, save copies, advanced editing options, publish to multiple blogs simultaneously, and more. All under a convenient and fast interface. These options pose a security risk because they open the door to receiving external information without interruption. Starting with WordPress version 3.5, this function is enabled by default, and there is no way to disable it through the WordPress management interface. However, you can edit files through the website storage management interface to disable it.Do I need it?
Probably not. Most users do not need xmlrpc.php, and most people prefer the visual interface that comes with WordPress. However, sites such as Blogger and mobile programming for WordPress need the protocol.Disabling xmlrpc.php from the .htaccess file
Let's say we want to allow access only from the IP address 123.123.123.123 and block all others. In order to block all requests to the xml-rpc.php file except for the IP we specify, enter these lines in the .htaccess file:# Block WordPress xmlrpc.php requests <Files xmlrpc.php> order deny,allow deny from all allow from 123.123.123.123 </Files>
When Disabling XML-RPC Helps
Disabling or filtering xmlrpc.php is useful when brute-force attempts and pingback abuse generate high noise. It is not a universal fix, but in many WordPress environments it reduces attack surface significantly.
- Block or rate-limit xmlrpc.php at WAF or web-server level.
- Keep REST API behavior unaffected for required integrations.
- Monitor for plugin features that still depend on XML-RPC.
Validation and Monitoring
After policy changes, verify login functionality, mobile publishing requirements, and plugin compatibility. Track 403 and 429 logs to confirm security gain without breaking legitimate workflows.
Why xmlrpc.php is a preferred attack target
xmlrpc.php is an old WordPress endpoint intended for connecting external applications (mobile apps, Pingbacks, Trackbacks). The problem: it allows multiple login attempts in a single HTTP request — making it a highly effective weapon for Brute Force attacks, 50-100× more efficient than regular logins via wp-login.php.
In addition, the system.multicall and pingback.ping functions can be used as a DDoS vector — an attacker can ask 1000 WordPress sites to pingback the target site in parallel, generating significant load.
How to block effectively
Method 1: via .htaccess (Apache)
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>
Method 2: via Nginx
location = /xmlrpc.php {
deny all;
return 403;
}
Method 3: WordPress plugin
The "Disable XML-RPC" plugin does the job in 3 clicks. Suitable if you don't have .htaccess or server config access.
When NOT to block
If you use the official WordPress mobile app, Jetpack, or development tools that rely on REST/XML-RPC — blocking xmlrpc.php will break functionality. In that case, better to protect xmlrpc.php with rate limiting rather than block it entirely.
Our managed hosting plans come with Imunify360 which identifies and blocks attacks on xmlrpc.php in real time, even when the file remains accessible.