1. Home
  2. WordPress Tutorials
  3. How to Enable and Disable XMLRPC.PHP in WordPress and Why

How to Enable and Disable XMLRPC.PHP in WordPress and Why

The XMLRPC is a system that allows remote updates to WordPress from other applications. For instance, the Windows Live Writer system is capable of posting blogs directly to WordPress because of XMLRPC. In its earlier days, however, it was disabled by default because of coding problems.

In essence, XMLRPC php could open the site to various attacks and other issues. Luckily, the developers of this code have long since tightened up its structure and it is still a widely used application.

In this tutorial, we’re going to show you how to enable and disable the XMLRPC php and why it’s important to know the difference.

Why Do You Need XMLRPC?

The XMLRPC allows remote connection to WordPress. Without it, various tools and publishing applications simply will not be able to access the website. Any updates or additions to the website would have to be made while logging directly into the system.

The Good

By disabling this feature, you eliminate the risk of external attacks gaining access. Although the contributors to this platform attest the programming of XMLRPC is as secure as the rest of the core files of WordPress, some may feel safer by disabling this ability.

It’s like having a house with only one door. Adding a second door may be more convenient, but it creates another entry point that needs to be locked.

The Bad

The obvious downside to eliminating this feature is that remote access to WordPress will no longer be possible. This removes some of the functionality and versatility of the system. Instead of posting blogs from a different application automatically through remote access, any content and other changes would have to be made through logging directly into WordPress.

This can be problematic for those who like the idea of posting content directly from their mobile devices.

The Reality of XMLRPC

For the most part, XMLRPC is only truly useful if you’re planning to use mobile apps or remote connections to publish content on your website. As mobile use has been such a prevalent way to access the Internet, many people will use remote apps to make developing their WordPress sites much easier.

This is also one of the reasons why developers put so much effort into fixing the problems with this feature’s coding in the past.

However, not everyone will need this ability enabled. Many aspects of the system work very well and are easy to use on smartphones or tablets. This is especially true since the core of WordPress works exceptionally well in a mobile environment.

Disabling XMLRPC Through Plugins

While many things can be done at the coding level in WordPress, sometimes it’s just easier to use the right plugin. Today, we’re going to use Manage XML-RPC. This plugin is simple and does the job to enable and disable the XMLRPC whenever you wish.

To use this plugin:

Step 1: Go to the plugins area of your WordPress dashboard.

Step 2: Add a new plugin and search for, “Manage XML-RPC.”

Step 3: After installing and activating the plugin, a new feature will appear in the left side of your WordPress admin panel called, “XML-RPC Settings.” Click this link to open the plugin.

Step 4: Check the box to “Disable XML-RPC” if you want to remove the remote access abilities of WordPress. At any time, you can uncheck the box to re-enable it.

NOTE: Manage XML-RPC also comes with the ability to disable pingbacks. You can also set certain IP addresses to enable and disable the feature. This can be convenient if you want the service to work for specific applications or users based on their IP address.

Step 5: Once your selections have been made, click the “Save Changes” button on the bottom left of the screen.

This plugin gives you the ability to enable or disable XMLRPC for the entire site or just a handful of IP addresses. It’s a nice feature to have, especially if you want to block specific users from accessing XMLRPC through WordPress.

Here are a few other plugins you may be interested in:

Disable XML-RPC

The Disable XML-RPC plugin is a simple way of blocking access to WordPress remotely. It’s one of the most highly rated plugins with more than 60,000 installations. This plugin has helped many people avoid Denial of Service attacks through XMLRPC.

G2 Security

G2 Security gives you the ability to disable XMLRPC as well as other features to lock down WordPress. It uses Google Safe Browsing, vulnerability alerts from WPScan, can disable the file editor and removes unnecessary headers from the system. It may be a good solution for those looking for website security. It’s a plugin that may be worth adding to your site.

Using the .htaccess File to Disable XMLRPC

A lot of people have found a wide degree of success by using the .htaccess file to disable XMLRPC. The code itself is relatively simple and can be of great use if you don’t want to worry about new plugins.

To use .htaccess to disable the XMLRPC php function in WordPress:

Step 1: Go to the root folder of your WordPress website using FTP. The File Manager in cPanel can also be useful if you have it available.

Step 2: Find and edit the .htaccess file. In some versions of cPanel, this file will be hidden. You will need to set cPanel to view hidden files to access .htaccess.

Step 3: Add the following code:

# Block WordPress xmlrpc.php requests?<Files xmlrpc.php>?order deny,allow?deny from all?allow from 123.123.123.123?</Files>

Step 4: Save the .htaccess file.

It’s that simple. Now, anything remote using XMLRPC will be denied.

Using Code in a Site-Specific Plugin

A site-specific plugin can be extremely useful if you want to add functionality to your site without incorporating third-party software. It’s a great way to add snippets you find on the Internet to use in your site without editing a theme template or the functions.php file.

In your site-specific plugin, you can simply add the following code to disable the remote access feature:

add_filter(‘xmlrpc_enabled’, ‘__return_false’);

Once saved, the site-specific plugin will run the above code and disable XMLRPC. However, you will need to remove the code in the event you want to turn the feature back on.

When will I need to enable XMLRPC on my site?

If you use, or are planning to use, a remote system to post content to your site, you will need this feature enabled. Otherwise, you won’t be able to make remote connections through the system. If you disabled the feature and found that some of your plugins or other tools no longer work, you will need to re-enable it to continue using those additions.

Not everyone will need XMLRPC turned on within WordPress for it to function properly. In fact, a lot of you may never use this feature at all. If you’re worried about additional security issues, it’s in your best interest to disable this feature until you absolutely need it.

What kind of tools have you disabled in WordPress? What plugins do you have the take the place of coding on your website?

Author: Chris Racicot

Chris is the Support Manager at GreenGeeks and has been with the company since 2010. He has a passion for gaming, scripting and WordPress. When he’s not enjoying his sleep, he’s working on his guitar skills and fiddling with 3d printing.

Updated on December 15, 2017

Was this article helpful?

Related Articles

Comments

  1. My issue is that I want to be able to make sure that XML-RPC is switched on as using IFTTT requires it to enable use of wordpress in its system. Is there a plugin that allows you to switch it on or off?

  2. My problem seems to be the opposite. I’m attempting to connect my website to Windows LiveWriter and when I try to log in it can’t locate the file xmlrpc.php. It says:

    “The following website address could not be found xmlrpc.php. Please check the URL and try again.”

    So, I tried to look for that file in File Manager and it doesn’t exist. What do I do to get this working?

  3. Hi,
    I have this rule in my .htaccess to protect xmlrpc.php.

    #This rule will redirect /xmlrpc.php requests to localhost 😉
    Redirect 301 /xmlrpc.php http://127.0.0.1

    Thanks

Reply to Joy Cancel