1. Home
  2. WordPress Tutorials
  3. How to Enable and Disable XMLRPC.PHP in WordPress and Why

How to Enable and Disable XMLRPC.PHP in WordPress and Why

The XMLRPC is a system that allows remote updates to WordPress from other applications. For instance, the Windows Live Writer system is capable of posting blogs directly to WordPress because of XMLRPC. In its earlier days, however, it was disabled by default because of coding problems.

In essence, XMLRPC php could open the site to various attacks and other issues. Luckily, the developers of this code have long since tightened up its structure and it is still a widely used application.

In this tutorial, we’re going to show you how to enable and disable the XMLRPC php and why it’s important to know the difference.

Why Do You Need XMLRPC?

The XMLRPC allows remote connection to WordPress. Without it, various tools and publishing applications simply will not be able to access the website. Any updates or additions to the website would have to be made while logging directly into the system.

The Good

By disabling this feature, you eliminate the risk of external attacks gaining access. Although the contributors to this platform attest the programming of XMLRPC is as secure as the rest of the core files of WordPress, some may feel safer by disabling this ability.

It’s like having a house with only one door. Adding a second door may be more convenient, but it creates another entry point that needs to be locked.

The Bad

The obvious downside to eliminating this feature is that remote access to WordPress will no longer be possible. This removes some of the functionality and versatility of the system. Instead of posting blogs from a different application automatically through remote access, any content and other changes would have to be made through logging directly into WordPress.

This can be problematic for those who like the idea of posting content directly from their mobile devices.

The Reality of XMLRPC

For the most part, XMLRPC is only truly useful if you’re planning to use mobile apps or remote connections to publish content on your website. As mobile use has been such a prevalent way to access the Internet, many people will use remote apps to make developing their WordPress sites much easier.

This is also one of the reasons why developers put so much effort into fixing the problems with this feature’s coding in the past.

However, not everyone will need this ability enabled. Many aspects of the system work very well and are easy to use on smartphones or tablets. This is especially true since the core of WordPress works exceptionally well in a mobile environment.

Disabling XMLRPC Through Plugins

While many things can be done at the coding level in WordPress, sometimes it’s just easier to use the right plugin. Today, we’re going to use Manage XML-RPC. This plugin is simple and does the job to enable and disable the XMLRPC whenever you wish.

To use this plugin:

Step 1: Go to the plugins area of your WordPress dashboard.

Step 2: Add a new plugin and search for, “Manage XML-RPC.”

Step 3: After installing and activating the plugin, a new feature will appear in the left side of your WordPress admin panel called, “XML-RPC Settings.” Click this link to open the plugin.

Step 4: Check the box to “Disable XML-RPC” if you want to remove the remote access abilities of WordPress. At any time, you can uncheck the box to re-enable it.

NOTE: Manage XML-RPC also comes with the ability to disable pingbacks. You can also set certain IP addresses to enable and disable the feature. This can be convenient if you want the service to work for specific applications or users based on their IP address.

Step 5: Once your selections have been made, click the “Save Changes” button on the bottom left of the screen.

This plugin gives you the ability to enable or disable XMLRPC for the entire site or just a handful of IP addresses. It’s a nice feature to have, especially if you want to block specific users from accessing XMLRPC through WordPress.

Here are a few other plugins you may be interested in:

Disable XML-RPC

The Disable XML-RPC plugin is a simple way of blocking access to WordPress remotely. It’s one of the most highly rated plugins with more than 60,000 installations. This plugin has helped many people avoid Denial of Service attacks through XMLRPC.

G2 Security

G2 Security gives you the ability to disable XMLRPC as well as other features to lock down WordPress. It uses Google Safe Browsing, vulnerability alerts from WPScan, can disable the file editor and removes unnecessary headers from the system. It may be a good solution for those looking for website security. It’s a plugin that may be worth adding to your site.

Using the .htaccess File to Disable XMLRPC

A lot of people have found a wide degree of success by using the .htaccess file to disable XMLRPC. The code itself is relatively simple and can be of great use if you don’t want to worry about new plugins.

To use .htaccess to disable the XMLRPC php function in WordPress:

Step 1: Go to the root folder of your WordPress website using FTP. The File Manager in cPanel can also be useful if you have it available.

Step 2: Find and edit the .htaccess file. In some versions of cPanel, this file will be hidden. You will need to set cPanel to view hidden files to access .htaccess.

Step 3: Add the following code:

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from

Step 4: Save the .htaccess file.

It’s that simple. Now, anything remote using XMLRPC will be denied.

Using Code in a Site-Specific Plugin

A site-specific plugin can be extremely useful if you want to add functionality to your site without incorporating third-party software. It’s a great way to add snippets you find on the Internet to use in your site without editing a theme template or the functions.php file.

In your site-specific plugin, you can simply add the following code to disable the remote access feature:

add_filter(‘xmlrpc_enabled’, ‘__return_false’);

Once saved, the site-specific plugin will run the above code and disable XMLRPC. However, you will need to remove the code in the event you want to turn the feature back on.

When will I need to enable XMLRPC on my site?

If you use, or are planning to use, a remote system to post content to your site, you will need this feature enabled. Otherwise, you won’t be able to make remote connections through the system. If you disabled the feature and found that some of your plugins or other tools no longer work, you will need to re-enable it to continue using those additions.

Not everyone will need XMLRPC turned on within WordPress for it to function properly. In fact, a lot of you may never use this feature at all. If you’re worried about additional security issues, it’s in your best interest to disable this feature until you absolutely need it.

What kind of tools have you disabled in WordPress? What plugins do you have the take the place of coding on your website?

Author: Chris Racicot

Chris is the Support Manager at GreenGeeks and has been with the company since 2010. He has a passion for gaming, scripting and WordPress. When he’s not enjoying his sleep, he’s working on his guitar skills and fiddling with 3d printing.

Updated on May 14, 2019

Was this article helpful?

Related Articles


  1. My issue is that I want to be able to make sure that XML-RPC is switched on as using IFTTT requires it to enable use of wordpress in its system. Is there a plugin that allows you to switch it on or off?

  2. My problem seems to be the opposite. I’m attempting to connect my website to Windows LiveWriter and when I try to log in it can’t locate the file xmlrpc.php. It says:

    “The following website address could not be found xmlrpc.php. Please check the URL and try again.”

    So, I tried to look for that file in File Manager and it doesn’t exist. What do I do to get this working?

  3. I need to enable it for IFTTT. How to do it? The .htaccess does not restrict XML-RPC. I have installed Wordfence and Askismet. Do they disable the XML-RPC?

  4. XML RPC is a garbage file which gave a very nice dashboard for the people who hacked the theme I **bought**.
    So basically, XML RPC is a comfy couch your giving your hackers to hack your domain. WTF would WP put it in the first place? There are many secure free vpn services, like teamviewer or many others, are they insisting they invented something new?

    jettison that comfy couch out of your server. I hope as many ppl would read this.

  5. Hi,
    I have this rule in my .htaccess to protect xmlrpc.php.

    #This rule will redirect /xmlrpc.php requests to localhost 😉
    Redirect 301 /xmlrpc.php


  6. erezT, despite your dogmatic and slightly aggressive opinion, one wouldn’t generally use RPC for “Remote Desktop” type purposes. RPC opens up the ability to hook into the WordPress API, e.g. upload media automatically via Zapier or IFTTT etc.

    Let’s not throw the baby out with the bathwater just because one may focus on all the negatives of RPC.

  7. Thanks Chris for the detailed explanation.

    Mattias, your suggestion of the littlebizzy plugin that issues 503’s is also helpful. I’m managing almost 40 WordPress sites, so I’m scouting for the most efficient way to implement. I use ManageWP so I can centrally install and activate a plugin on all sites with one request. I like that this plugin goes to work immediately on activation and doesn’t need manual configuration.

    Chris, you asked “What kind of tools have you disabled in WordPress?” I have two tiny plugins that I use for temporarily disabling WP features. One hides the edit post links so that I can view a page without the clutter and without logging out. The other disables the edit post lock, so that I can do a training session with a remote client and we can both view the edit screen. I just put them into GitHub in case they’re useful for anyone else: https://github.com/donnamcmaster/mcw-hide-edit-post-link and https://github.com/donnamcmaster/mcw-disable-edit-lock.

    You can pull the code out and put it into your functions file, but then you have to edit the file to turn them on/off. As plugins, they’re easy to enable only when you need them. HTH.

  8. XMLRPC makes WordPress sites programmable. Being able to post from a script is extremely useful for site management. The idea that everybody should have to use an interactive web interface is weird in the first place. The availability of XML RPC is what makes WordPress worthwhile.

  9. Thanks for the share.
    Any idea if a free account on WP.com can be connected via XMLRPC? I was trying to get OnlyWire on but without success.The suggestion from the software was to change the settings, but there are no settings for XMLRPC through the admin panel

  10. erezT, why suck absolutes? Why are you so willing to disable XML-RPC for the UNMEASUREABLE improvement in security? Why limit the ability to manage a WordPress web site to just a web browser?

    The experience of eding WordPress from a mobile browser (and a touch screen interface) is painful. The experience from the WordPress app is much better.

    I think everyone needs to do their own assessment of the risk and make a decision. A ‘this should never be done” approach is untenable.

  11. I need to verify a new website with WordPress on Gravatar site, and when i try to verify it i am not able to, its got something to do with XML-RPC API.

    I downloaded the plugin too but nothing helped.

  12. You can take a look to REST XML-RPC Data Checker (https://wordpress.org/plugins/rest-xmlrpc-data-checker/) plugin: it allows an extended access control to the XML-RPC and REST APIs (enabling also by user/IP/method or endopoint)

    REST Api is enabled by default and you should to know that this way, a WordPress instance is potentially leaking data (for example anyone could be able to copy easily your published contents natively, get the list of all users or retrieve other information that you didn’t want to be public).

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.