How to Enable and Disable XMLRPC.PHP in WordPress and Why

The XMLRPC is a system that allows remote updates to WordPress from other applications. For instance, the Windows Live Writer system is capable of posting blogs directly to WordPress because of xmlrpc.php. In its earlier days, however, it was disabled by default because of coding problems.

In essence, xmlrpc.php could open the site to various attacks and other issues. Luckily, the developers of this code have long since tightened up its structure and it is still a widely used application.

In this tutorial, we’re going to show you how to enable and disable the xmlrpc.php and why it’s important to know the difference.

What is XMLRPC.PHP and Why You Need It?

The xmlrpc.php allows remote connection to WordPress. Without it, various tools and publishing applications simply will not be able to access the website. Any updates or additions to the website would have to be made while logging directly into the system.

The Good

By disabling this feature, you eliminate the risk of external attacks gaining access. Although the contributors to this platform attest the programming of xmlrpc.php is as secure as the rest of the core files of a hosted WordPress website, some may feel safer by disabling this ability.

It’s like having a house with only one door. Adding a second door may be more convenient, but it creates another entry point that needs to be locked.

The Bad

The obvious downside to eliminating this feature is that remote access to WordPress will no longer be possible. This removes some of the functionality and versatility of the system. Instead of posting blogs from a different application automatically through remote access, any content and other changes would have to be made through logging directly into WordPress.

This can be problematic for those who like the idea of posting content directly from their mobile devices.

How Do I know When XMLRPC in Enabled?

This is something that seems to cause confusion sometimes. Remember, by default XMLRPC is already enabled. It’s active once you finish installing WordPress

So if you use any of the following resources to disable it, simply redo your settings or erase the code to re-enable it.

The Reality of XMLRPC

For the most part, xmlrpc.php  is only truly useful if you’re planning to use mobile apps or remote connections to publish content on your website. As mobile use has been such a prevalent way to access the Internet, many people will use remote apps to make developing their WordPress sites much easier.

This is also one of the reasons why developers put so much effort into fixing the problems with this feature’s coding in the past.

However, not everyone will need this ability enabled. Many aspects of the system work very well and are easy to use on smartphones or tablets. This is especially true since the core of WordPress works exceptionally well in a mobile environment.

Disabling XMLRPC Through Plugins

While many things can be done at the coding level in WordPress, sometimes it’s just easier to use the right plugin. Today, we’re going to use Manage XML-RPC. This plugin is simple and does the job to enable and disable the XMLRPC whenever you wish.

Manage XMLRPC.PHP plugin

In order to use this great little plugin you need to install and activate it from the plugins page in your WordPress admin dashboard.

Install and activate the manage xml rpc plugin

After installing and activating the plugin, a new feature will appear in the left side of your WordPress admin panel called, “XML-RPC Settings.” Click this link to open the plugin.

Click on xml rpc settings

Check the box to “Disable XML-RPC” if you want to remove the remote access abilities of WordPress. At any time, you can uncheck the box to re-enable it.

Check this box to remove remote access abilities

Once your selections have been made, click the “Save Changes” button on the bottom left of the screen.

NOTE: Manage XML-RPC also comes with the ability to disable pingbacks. You can also set certain IP addresses to enable and disable the feature. This can be convenient if you want the service to work for specific applications or users based on their IP address.

This plugin gives you the ability to enable or disable xmlrpc.php for the entire site or just a handful of IP addresses. It’s a nice feature to have, especially if you want to block specific users from accessing XMLRPC through WordPress.

Here are a few other plugins you may be interested in that will also Enable and Disable xmlrpc.php.

Disable XML-RPC

Disable XMLRPC.PHP

The Disable XML-RPC plugin is a simple way of blocking access to WordPress remotely. It’s one of the most highly rated plugins with more than 60,000 installations. This plugin has helped many people avoid Denial of Service attacks through XMLRPC.

Disable XML-RPC Pingback

Disable xmlrpc.php Pingback

The Disable XML-RPC Pingback plugin

Both of these options are definitely plugins that could be worth adding to your website.

Using the .htaccess File to Disable XMLRPC

A lot of people have found a wide degree of success by using the .htaccess file to disable xmlrpc.php. The code itself is relatively simple and can be of great use if you don’t want to worry about new plugins.

To use .htaccess to disable the xmlrpc.php function in WordPress you need to go to the root folder of your WordPress website using either FTP, or File Manager within your GreenGeeks account can also be useful if you have it available.

Click on file manager

Find and edit the .htaccess file. In some versions of cPanel, this file will be hidden. You will need to set cPanel to view hidden files to access .htaccess. To do this click on “Settings” in the top right of the File Manager and check the button that says “show hidden files.” Click save and you will now see your .htaccess file.

Show hidden files in File Manager

Open the .htaccess file and add the following code:
[ht_message mstyle=”info” title=”” show_icon=”” id=”” class=”” style=”” ]# Block WordPress xmlrpc.php requests

order deny,allow
deny from all
allow from 123.123.123.123
[/ht_message]

Add code to .htaccess file

Now “Save” the file. It’s that simple. Now, anything remote using XMLRPC.PHP will be denied.

Using Code in a Site-Specific Plugin

A site-specific plugin can be extremely useful if you want to add functionality to your site without incorporating third-party software. It’s a great way to add snippets you find on the Internet to use in your site without editing a theme template or the functions.php file.

In your site-specific plugin, you can simply add the following code to disable the remote access feature:

add_filter('xmlrpc_enabled', '__return_false');

Once saved, the site-specific plugin will run the above code and disable XMLRPC. However, you will need to remove the code in the event you want to turn the feature back on.

When Will I Need to Enable XMLRPC On My Site?

If you use, or are planning to use, a remote system to post content to your site, you will need this feature enabled. Otherwise, you won’t be able to make remote connections through the system. If you disabled the feature and found that some of your plugins or other tools no longer work, you will need to re-enable it to continue using those additions.

Not everyone will need xmlrpc.php turned on within WordPress for it to function properly. In fact, a lot of you may never use this feature at all. If you’re worried about additional security issues, it’s in your best interest to disable this feature until you absolutely need it.

What kind of tools have you disabled in WordPress? What plugins do you have the take the place of coding on your website?

17 thoughts on “How to Enable and Disable XMLRPC.PHP in WordPress and Why”

  1. My issue is that I want to be able to make sure that XML-RPC is switched on as using IFTTT requires it to enable use of wordpress in its system. Is there a plugin that allows you to switch it on or off?

  2. My problem seems to be the opposite. I’m attempting to connect my website to Windows LiveWriter and when I try to log in it can’t locate the file xmlrpc.php. It says:

    “The following website address could not be found xmlrpc.php. Please check the URL and try again.”

    So, I tried to look for that file in File Manager and it doesn’t exist. What do I do to get this working?

  3. I need to enable it for IFTTT. How to do it? The .htaccess does not restrict XML-RPC. I have installed Wordfence and Askismet. Do they disable the XML-RPC?

  4. XML RPC is a garbage file which gave a very nice dashboard for the people who hacked the theme I **bought**.
    So basically, XML RPC is a comfy couch your giving your hackers to hack your domain. WTF would WP put it in the first place? There are many secure free vpn services, like teamviewer or many others, are they insisting they invented something new?

    jettison that comfy couch out of your server. I hope as many ppl would read this.
    erezT

  5. erezT, despite your dogmatic and slightly aggressive opinion, one wouldn’t generally use RPC for “Remote Desktop” type purposes. RPC opens up the ability to hook into the WordPress API, e.g. upload media automatically via Zapier or IFTTT etc.

    Let’s not throw the baby out with the bathwater just because one may focus on all the negatives of RPC.

  6. Thanks Chris for the detailed explanation.

    Mattias, your suggestion of the littlebizzy plugin that issues 503’s is also helpful. I’m managing almost 40 WordPress sites, so I’m scouting for the most efficient way to implement. I use ManageWP so I can centrally install and activate a plugin on all sites with one request. I like that this plugin goes to work immediately on activation and doesn’t need manual configuration.

    Chris, you asked “What kind of tools have you disabled in WordPress?” I have two tiny plugins that I use for temporarily disabling WP features. One hides the edit post links so that I can view a page without the clutter and without logging out. The other disables the edit post lock, so that I can do a training session with a remote client and we can both view the edit screen. I just put them into GitHub in case they’re useful for anyone else: https://github.com/donnamcmaster/mcw-hide-edit-post-link and https://github.com/donnamcmaster/mcw-disable-edit-lock.

    You can pull the code out and put it into your functions file, but then you have to edit the file to turn them on/off. As plugins, they’re easy to enable only when you need them. HTH.

  7. XMLRPC makes WordPress sites programmable. Being able to post from a script is extremely useful for site management. The idea that everybody should have to use an interactive web interface is weird in the first place. The availability of XML RPC is what makes WordPress worthwhile.

  8. Thanks for the share.
    Any idea if a free account on WP.com can be connected via XMLRPC? I was trying to get OnlyWire on but without success.The suggestion from the software was to change the settings, but there are no settings for XMLRPC through the admin panel

  9. erezT, why suck absolutes? Why are you so willing to disable XML-RPC for the UNMEASUREABLE improvement in security? Why limit the ability to manage a WordPress web site to just a web browser?

    The experience of eding WordPress from a mobile browser (and a touch screen interface) is painful. The experience from the WordPress app is much better.

    I think everyone needs to do their own assessment of the risk and make a decision. A ‘this should never be done” approach is untenable.

  10. I need to verify a new website with WordPress on Gravatar site, and when i try to verify it i am not able to, its got something to do with XML-RPC API.

    I downloaded the plugin too but nothing helped.

  11. You can take a look to REST XML-RPC Data Checker (https://wordpress.org/plugins/rest-xmlrpc-data-checker/) plugin: it allows an extended access control to the XML-RPC and REST APIs (enabling also by user/IP/method or endopoint)

    REST Api is enabled by default and you should to know that this way, a WordPress instance is potentially leaking data (for example anyone could be able to copy easily your published contents natively, get the list of all users or retrieve other information that you didn’t want to be public).

  12. on my own WordPress blog, of which I am the only user, I simply move the file /usr/share/wordpress/xmlrpc.php when I want to disable xmlrpc, and move it back into place to re-enable. Eg.

    sudo mv /usr/share/wordpress/xmlrpc.php /root
    sudo mv /root/xmlrpc.php /usr/share/wordpress

    While it is disabled, I cant use the Android WordPress app to view comments, but this is a small price to pay. For larger sites with many users, the picture might be more complicated.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.