Disable access to XMLRPC in WordPress

, , , , ,
Disable XML-RPC on WordPress Website

The following kinds of attacks on WordPress websites, specifically targeting xmlrpc.php, have received increasing press coverage since 2015:

If you (via an app) or your website (via a plugin) are not using the xmlrpc functionality then it may be wise to disable access to xmlrpc.php

There are several free and premium plugins to choose from on the official WordPress repository. Remember, disabling access to the xmlrpc file may break API functionality that your applications or plugins rely upon.

Later in this article will show you how to disable access to the xmlrpc without using any WordPress plugins.

 

What is XMLRPC?

XMLRPC on WordPress is an application program interface, API. It gives developers the ability to communicate with your WordPress website. The XMLRPC API provides developers with a way to write applications that can do many of the things that you can do when logged into your WordPress website via the web interface. These features may include:

  • Publishing, Editing or Deleting a post
  • Uploading a new image or file
  • Obtaining a list of comments
  • Editing comments

For a full list of the WordPress API functions available via XMLRPC, visit this link to the WordPress codex.

Remember, if you disable access to the XMLRPC file, you may lose the ability to use any application which uses this API to communicate with your WordPress website. With that in mind, the following will show you how to disable access to your xmlrpc.php file via your Apache .htaccess file.

 

Disable XMLRPC via .htaccess

The method used below is, in our opinion, the best way to block access to the xmlrpc.php file on the Apache or Nginx server. WordPress plugins that disable the XMLRPC API may not fully disable access to that file which provides you with a false sense of security.

 

 

Additionally, you may allow access to xmlrpc.php to specific IP addresses by adding the following just above the </Files> line where 111.222.333.444 is the address you wish to permit access to:

 

 

We hope this WordPress security article has been helpful. If so, please take a moment to like us on Facebook, share this on your social media. Let us know if you have any questions that we may be able to assist you with.