XMLRPC is a legacy remote procedure call protocol that WordPress has supported since its early days. It was designed to allow third-party apps like mobile publishing apps and desktop blogging clients to interact with WordPress. Today it's mostly unnecessary — and dangerous.
Why XMLRPC is a security risk
The core problem with XMLRPC is the system.multicall method, which allows multiple authentication attempts in a single HTTP request. This means an attacker can try thousands of password combinations while only making a handful of HTTP requests — bypassing login attempt limits entirely.
Common XMLRPC attacks include:
- Brute-force attacks — testing thousands of passwords per request
- DDoS amplification — using your server to attack other sites via Pingback
- Content injection — once credentials are obtained, injecting malware
WPStats checks whether xmlrpc.php returns a 200 OK response and flags it as a high-severity security issue if it does.
Do you need XMLRPC?
You probably don't. XMLRPC is needed for:
- The old WordPress mobile app (replaced by WordPress.com Gutenberg app using REST API)
- Desktop blogging clients like Windows Live Writer
- Some Jetpack features (though Jetpack has its own connection method)
If you don't use any of these, disable XMLRPC completely.
Method 1: Disable via .htaccess (recommended)
Add this to your .htaccess file (in your WordPress root directory):
# Disable XML-RPC
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>
This blocks access at the server level before PHP even runs — the most efficient method.
Method 2: Disable via functions.php
Add to your theme's functions.php or a custom plugin:
// Disable XMLRPC
add_filter('xmlrpc_enabled', '__return_false');
// Also remove the X-Pingback header
add_filter('wp_headers', function($headers) {
unset($headers['X-Pingback']);
return $headers;
});
Method 3: Use a security plugin
Security plugins like Wordfence, Sucuri, or iThemes Security can disable XMLRPC with a single checkbox in their settings panel.
Verify it's disabled
After disabling, visit https://yoursite.com/xmlrpc.php in your browser. You should see a 403 Forbidden error (not the "XML-RPC server accepts POST requests only" message). You can also use WPStats to scan your site and confirm the XMLRPC check passes.
Note: If you use Jetpack, check whether any of its features depend on XMLRPC before disabling. Modern Jetpack uses the REST API, but some legacy modules may still use XMLRPC.
Check if XMLRPC is exposed on your site
WPStats checks XMLRPC status alongside 10+ other security indicators.
Scan your security now