XML-RPC and how to remove it from WordPress

WordPress XML-RPC is a standard for connecting various system to WordPresss, for example Blogger or Movable Type platforms. Some desktop clients & official mobile applications also use WordPress XML-RPC. Back in the days XML-RPC was very helpful.

What is XML-RPC for and how did it help website owners?

XML-RPC examples

XML-RPC remote access protocol is out there for a couple of decades. It uses HTTP as a transport protocol & XML as a markup language which helps to transfer big amount of data. With WordPress XML-RPC you can make changes to your website without use of admin area.

One of the primary functions of xmlrpc.php is website administration via mobile app (iOS & Android). It also provides trackbacks & pingbacks from other resources.

 

WordPress XML-RPC relevance

An ability to activate/deactivate XML-RPC appeared ten years ago in WordPress 2.6. When iOS app came out support for XML-RPC was re-introduced without the ability of deactivation. That’s how the system works nowadays.

We think XML-RPC is going to be deprecated soon with REST API being the access interface in charge. It’s part of the WordPress core and there is no need for xmlrpc.php. The REST API is much safer than xmlrpc.php and it doesn’t put your website in danger.

 

What’s so dangerous about xmlrpc.php?

Safety — is the key disadvantage of WordPress XML-RPC. It can be used as a target for DDoS attack on your website. Hackers use WordPress pingback exploit to send enormous amount of queries. This vulnerability gives attackers a nearly unlimited number of IP-addresses to expand the attack.

Another WordPress XML-RPC vulnerability — it can be used to bruteforce usernames and passwords until the attackers get access to the website.

Things can get safer if you use WordPress plugins which rename xmlrpc.php into something else. But it’s easier to simply turn off XML-RPC on your website.

 

Using Clearfy free plugin to turn off XML-RPC

We suggest you to increase your website security with the Clearfy plugin. In a few clicks. Follow these simple steps:

  1. Download and install Clearfy free plugin
  2. Go to Clearfy settings page
  3. In the left menu click the “Defence” tab
  4. In the upper section you should see “Base settings” box

Disable WordPress XML-RPC — Clearfy plugin

You push the “On” button next to “Disable XML-RPC” label. You website just became safer than before, even if you had strong password.

 

Disabling XML-RPC programmatically

If you aren’t so sure about using the plugin and want to deal with the safety problem add this code to functions.php:

add_filter( 'xmlrpc_enabled', '__return_false' );

It’s important to remember that modifying WordPress parameters by yourself could be harmful. Dealing with problem via php code is not the best option. Let’s discuss its benefits and drawbacks.

Benefits:

  • Using the code allows to save some server resources but the savings are irrelevant
  • It can be helpful to improve your coding skills
  • You could make custom snippet specifically for your website

Drawbacks:

  • This code isn’t updated and supported by WordPress developers, it can become incompatible with newer WordPress version someday
  • You use it on your own risk
  • The code could have conflicts with your theme or plugins
  • You can’t get support if you website gets broken
  • Updating this snippet for multiple websites will become a pain in the butt

Important notice: You should be careful when editing website code. Don’t forget to make a backup before making any changes. If you don’t have enough experience it’s better to ask for qualified help or use Clearfy free plugin.

Scroll to Top