WordPress comes with tons of features to customize and create a beautiful website. However, it is not necessary for a user to make use of all the available features. For example, blog commenting is a simple feature that you can disable site wide when you do not want to use the comments on your site. XML-RPC is one such old WordPress featured many users do not use on their site. The problem here is that users do not aware of such a function exists unless it causes a problem. In this article, we will explain what XML-RPC in WordPress is and why you should disable it right away.
What is XML-RPC?
XML stands for Extensible Markup Language and RPC stands for Remote Procedure Call. Combining XML and RPC together, it is easy to understand that XML-RPC is a remote protocol to connect to WordPress using XML. The reason at first for having the XML-RPC in WordPress is to allow or enable data transferability with other systems. These data use the XML as the encoding mechanism and the HTTP as its transport medium between WordPress and any compatible application.
WordPress has its own XML-RPC API for various reasons as explained in this documentation. Earlier, users need to enable XML-RPC to use third-party mobile apps and integrations with WordPress. However, WordPress 3.5 and above versions by default come with the XML-RPC file pre-installed on your site.
Where Can You Find XML-RPC File in WordPress?
You can find xmlrpc.php file in the root installation folder of your site using FTP or File Manager app. When you look at the file’s content, it has APIs for connecting to WordPress.com, Blogger, MetaWeblog and Movable Type.
You can find this xmlrpc.php file in the source code of your site as a RSD URL (Really Simple Discovery service) like below:
<link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://yoursite.com/xmlrpc.php?rsd" />
Clicking on the URL will show its content like below.
In addition, there will be an additional link in the header for pingback like below.
<link rel="pingback" href="https://yoursite.com/xmlrpc.php">
When you click on this xmlrpc.php link, it will show the message mentioning “XML-RPC server accepts POST requests only”.
What Can You Do with XML-RPC?
As you can see the protocol is useful when you want to connect any third-party services to WordPress.
- Posting from applications like Microsoft Word or any other apps
- Connecting from other blogging platforms
- Notifying pingbacks and trackbacks to your website
Some old plugins may also use XML-RPC for integration purposes.
Problems with XML-RPC in WordPress
Though XML-RPC was useful for a specific need, it can create many problems for those who do not use it on their site. In WordPress sites, xmlrpc.php would be the most hit URLs when you look at the server logs file. This is because many hackers will try to post content on your site using this remote protocol. Here are some of the problems xmlrpc.php file can cause on your site:
- There are a lot of security challenges that many websites face, and the two most common are denial of service (DOS) and brute force attacks. These invasions entangle themselves in the XML-RPC, and the need for disabling it in WordPress comes in handy as a discourse.
- There is an unnecessary link in the header and bots will continuously try to access xmlrpc.php. This could cause your website likely becomes so slow due to the resources (very much) the file uses up from the server.
- Also, some plugins aren’t compatible with the XML-RPC and run into technical issues on activating them.
Finally, with the advent of REST API, there isn’t a need for XML-RPC anymore. You can use REST API to connect with third-party apps like Jetpack mobile app for self-hosted WordPress and all other blogging platforms listed in xmlrpc.php file.
How to Disable XML-RPC in WordPress?
As xmlrpc.php is outdated and REST API can do things better, it is a good idea to disable xmlrpc.php on your site. You can disable XML-RPC in WordPress by adding a code in .htaccess file or using a plugin which will eventually add the code for you.
Disable XML-RPC in WordPress with a Plugin
Many plugins for this purpose or even security plugins have the disable XML-RPC as a feature. But we recommend the “Disable XML-RPC-API” plugin as it does the job perfectly. Go to your WordPress admin dashboard, hover on the “Plugins”, and click the “Add New” menu. Use the keyword in the search box and find the plugin. Then, install and activate the plugin on your site.
Locate the new side menu “XML-RPC Security” and click on it. Scroll down, put the “XML-RPC Api Master switch” and “Enable xml-rpc for Jetpack” buttons off. Then, provide the list of IP addresses in “White List IPs” box if you want to access the feature from any specific IP. Otherwise, you can leave it blank for completely disabling xmlrpc.php.
Disable XML-RPC in WordPress through htaccess
If you do not want to install additional plugin for disabling XML-RPC in your site, check whether your security plugin offers this feature. If not, the alternate option is to manually add few lines of code in .htaccess file. This file is available in the root installation folder of any WordPress installation.
- Login to your website’s hosting account and go to the cPanel or custom panel dashboard.
- Search and open the “File Manager” app and navigate to “public_html” folder. This is the root directory of your site which contains core WordPress and server files for WordPress to work properly.
- Select the .htaccess file and click the “Edit” option. Copy the following code and paste at the bottom of the file.
# Block WordPress xmlrpc.php requests <Files xmlrpc.php> order deny, allow deny from all </Files>
It should look something like below on the file when you edit.
After inserting the code, click the “Save” button to make the changes effective.
Only Disabling Pingbacks and Trackbacks
Meanwhile, to disable only the pingback functionality and leave other XML-RPC features accessible, install and activate the “Remove & Disable XML-RPC Pingback” plugin instead. Alternatively, you can go to “Settings > Discussion” section and disable “Allow link notifications from other blogs (pingbacks and tracebacks) on new posts” option. This will only disable link backs for new posts you will publish in future.
Using Perfmatter Premium Plugin
After disabling XML-RPC API on your site, you will see 403 Forbidden when trying to open xmlrpc.php file.
However, the links in the header section will be still available without any use. If that bothers you, then you can use the bloat removal plugins to remove unnecessary header links inserted by WordPress. We recommend using the premium Perfmatters plugin as it can help to optimize many other parameters like managing scripts and remove unused CSS.
- Purchase the plugin using this 10% discount code and activate it on your site using the license code.
- Go to “Settings > Perfmatters” menu and then navigate to “Options > General” section.
- Enable the option that says, “Disable XML-RPC”.
- Scroll to bottom and click “Save Changes” button.
Now open any page of your site and check the source code. You will not find xmlrpc.php links in the header section.
Wrap Up on Disabling XML-RPC in WordPress
Remember, you can always revert the step taken if you still feel the need to use the XML-RPC again. This may be necessary when you use Jetpack mobile app for publishing content. However, we strongly recommend using REST API apps and disable XML-RPC. This will help to avoid security risks and protect your site from hackers.