PHPwordpressbeginner

Disable WordPress XML-RPC

Disable XML-RPC to improve security and prevent brute force attacks

#wordpress#security#xmlrpc#hardening
Share this snippet:

Code

php
1// Method 1: Completely disable XML-RPC
2add_filter('xmlrpc_enabled', '__return_false');
3

4// Method 2: Block XML-RPC requests
5function disable_xmlrpc_completely() {
6    // Return 403 Forbidden for XML-RPC requests
7    if (defined('XMLRPC_REQUEST') && XMLRPC_REQUEST) {
8        header('HTTP/1.1 403 Forbidden');
9        die('XML-RPC is disabled on this site.');
10    }
11}
12add_action('init', 'disable_xmlrpc_completely', 1);
13

14// Method 3: Remove XML-RPC from HTTP headers
15function remove_xmlrpc_pingback_header($headers) {
16    if (isset($headers['X-Pingback'])) {
17        unset($headers['X-Pingback']);
18    }
19    return $headers;
20}
21add_filter('wp_headers', 'remove_xmlrpc_pingback_header');
22

23// Remove RSD link from header (Really Simple Discovery)
24remove_action('wp_head', 'rsd_link');
25

26// Remove Windows Live Writer manifest link
27remove_action('wp_head', 'wlwmanifest_link');
28

29// Disable XML-RPC pingback
30function disable_xmlrpc_pingback($methods) {
31    unset($methods['pingback.ping']);
32    unset($methods['pingback.extensions.getPingbacks']);
33    return $methods;
34}
35add_filter('xmlrpc_methods', 'disable_xmlrpc_pingback');

Disable WordPress XML-RPC

XML-RPC can be exploited for brute force attacks and DDoS. This snippet completely disables XML-RPC while maintaining essential WordPress functionality.

// Method 1: Completely disable XML-RPC
add_filter('xmlrpc_enabled', '__return_false');

// Method 2: Block XML-RPC requests
function disable_xmlrpc_completely() {
    // Return 403 Forbidden for XML-RPC requests
    if (defined('XMLRPC_REQUEST') && XMLRPC_REQUEST) {
        header('HTTP/1.1 403 Forbidden');
        die('XML-RPC is disabled on this site.');
    }
}
add_action('init', 'disable_xmlrpc_completely', 1);

// Method 3: Remove XML-RPC from HTTP headers
function remove_xmlrpc_pingback_header($headers) {
    if (isset($headers['X-Pingback'])) {
        unset($headers['X-Pingback']);
    }
    return $headers;
}
add_filter('wp_headers', 'remove_xmlrpc_pingback_header');

// Remove RSD link from header (Really Simple Discovery)
remove_action('wp_head', 'rsd_link');

// Remove Windows Live Writer manifest link
remove_action('wp_head', 'wlwmanifest_link');

// Disable XML-RPC pingback
function disable_xmlrpc_pingback($methods) {
    unset($methods['pingback.ping']);
    unset($methods['pingback.extensions.getPingbacks']);
    return $methods;
}
add_filter('xmlrpc_methods', 'disable_xmlrpc_pingback');

.htaccess Method (Apache)

Add to your .htaccess file:

# Block access to xmlrpc.php
<Files xmlrpc.php>
    Order Deny,Allow
    Deny from all
</Files>

Nginx Configuration

Add to your Nginx configuration:

# Block xmlrpc.php
location = /xmlrpc.php {
    deny all;
    access_log off;
    log_not_found off;
    return 444;
}

Selective Disable (Keep Jetpack Working)

// Disable XML-RPC but allow Jetpack
function disable_xmlrpc_except_jetpack($methods) {
    // Get all XML-RPC methods
    $jetpack_methods = array(
        'jetpack.testAPIUserCode',
        'jetpack.testConnection',
        'jetpack.remoteAuthorize',
        'jetpack.remoteProvision',
        'jetpack.remoteConnect',
        'jetpack.remoteDisconnect',
        'jetpack.remoteRegister',
        'jetpack.getUser',
    );

    // Remove all methods except Jetpack
    foreach ($methods as $method => $callback) {
        if (!in_array($method, $jetpack_methods)) {
            unset($methods[$method]);
        }
    }

    return $methods;
}
add_filter('xmlrpc_methods', 'disable_xmlrpc_except_jetpack');

Log XML-RPC Attempts

// Log XML-RPC access attempts
function log_xmlrpc_attempts() {
    if (defined('XMLRPC_REQUEST') && XMLRPC_REQUEST) {
        $ip = $_SERVER['REMOTE_ADDR'];
        $user_agent = $_SERVER['HTTP_USER_AGENT'];
        $timestamp = current_time('mysql');

        error_log(sprintf(
            'XML-RPC attempt - IP: %s, User-Agent: %s, Time: %s',
            $ip,
            $user_agent,
            $timestamp
        ));

        // Optional: Send email alert
        $admin_email = get_option('admin_email');
        $subject = 'XML-RPC Access Attempt Detected';
        $message = sprintf(
            "An XML-RPC request was blocked:\n\nIP Address: %s\nUser-Agent: %s\nTime: %s\nURL: %s",
            $ip,
            $user_agent,
            $timestamp,
            $_SERVER['REQUEST_URI']
        );

        wp_mail($admin_email, $subject, $message);
    }
}
add_action('init', 'log_xmlrpc_attempts', 1);

Complete Security Package

// Comprehensive XML-RPC security
class XMLRPC_Security {

    public function __construct() {
        // Disable XML-RPC
        add_filter('xmlrpc_enabled', '__return_false');

        // Remove headers
        add_filter('wp_headers', array($this, 'remove_headers'));

        // Remove links from head
        remove_action('wp_head', 'rsd_link');
        remove_action('wp_head', 'wlwmanifest_link');

        // Block requests
        add_action('init', array($this, 'block_requests'), 1);

        // Add admin notice
        add_action('admin_notices', array($this, 'admin_notice'));
    }

    public function remove_headers($headers) {
        unset($headers['X-Pingback']);
        return $headers;
    }

    public function block_requests() {
        if (defined('XMLRPC_REQUEST') && XMLRPC_REQUEST) {
            header('HTTP/1.1 403 Forbidden');
            header('Content-Type: text/plain');
            die('XML-RPC is disabled for security reasons.');
        }
    }

    public function admin_notice() {
        echo '<div class="notice notice-success is-dismissible">';
        echo '<p><strong>Security:</strong> XML-RPC is disabled on this site.</p>';
        echo '</div>';
    }
}

// Initialize
new XMLRPC_Security();

Check if XML-RPC is Disabled

Test by running this in your browser or with curl:

curl -X POST https://yoursite.com/xmlrpc.php \
  -H "Content-Type: text/xml" \
  -d '<?xml version="1.0"?>
<methodCall>
  <methodName>demo.sayHello</methodName>
</methodCall>'

You should receive a 403 Forbidden response.

Features

  • Complete Blocking: Multiple methods to ensure XML-RPC is disabled
  • Security Headers: Removes XML-RPC-related headers
  • Jetpack Compatible: Option to keep Jetpack working
  • Logging: Track XML-RPC access attempts
  • Multiple Layers: PHP, .htaccess, and Nginx options
  • Attack Prevention: Stops brute force and DDoS attacks via XML-RPC

When to Keep XML-RPC Enabled

Only keep XML-RPC enabled if you:

  • Use Jetpack and need its features
  • Use mobile apps to publish content
  • Need pingback/trackback functionality
  • Use third-party services that require XML-RPC

Otherwise, it's recommended to disable it for security.

Back to All Snippets
Code Typer
Love this snippet? Practice typing WordPress code at lightning speed with Code Typer and build your muscle memory!

Related Snippets

Remove WordPress Version Number

Remove WordPress version number from header and RSS feeds for better security

PHPwordpressbeginner
phpPreview
// Remove version from head
remove_action('wp_head', 'wp_generator');

// Remove version from RSS feeds
...
#security#wordpress#wp-head+1
1/9/2025
View

WordPress Limit Login Attempts

Add brute force protection by limiting failed login attempts

PHPwordpressadvanced
phpPreview
// Limit login attempts
function limit_login_attempts() {
    // Get IP address
    $ip = $_SERVER['REMOTE_ADDR'];
...
#wordpress#security#login+2
11/5/2025
View

Enable SVG Upload Support in WordPress

Safely allow SVG file uploads in WordPress media library

PHPwordpressintermediate
phpPreview
// Enable SVG uploads
function enable_svg_upload($mimes) {
    $mimes['svg'] = 'image/svg+xml';
    $mimes['svgz'] = 'image/svg+xml';
...
#wordpress#svg#media+2
11/3/2025
View