WPSurfer.com

How to Disable the XML-RPC File in WordPress

Published on September 24, 2022 | Updated on July 6, 2024

XML-RPC is a feature of WordPress that enables remote access to WordPress sites.

XML-RPC enables content management remotely, which is especially helpful for users who need to publish content while on the go. This is used by mobile apps, external publishing platforms, and desktop editors like WordPress mobile app.

While it can be useful in some situations, keeping XML-RPC enabled can also be a security risk.

Attackers can use XML-RPC to send multiple login attempts in a single request.

XML-RPC’s pingback functionality can be used in DDoS attacks to amplify requests and overload a site.

To disable XML-RPC in WordPress, you can use a plugin like Disable XML-RPC which has more than 200,000+ active installations.


XML-RPC to Brute Force Attack a Website

Here is the XML-RPC request to test a username and password for a WordPress site:

<?xml version="1.0" encoding="UTF-8"?>
<methodCall>
  <methodName>wp.getUsersBlogs</methodName>
  <params>
    <param>
      <value><string>your-username</string></value> <!-- Replace with your WordPress username -->
    </param>
    <param>
      <value><string>your-password</string></value> <!-- Replace with your WordPress password -->
    </param>
  </params>
</methodCall>

Disable XML-RPC Code Snippet

If you don’t have love for one more plugin, simply add the following code to your site via the functions.php file of your site’s child theme.

add_filter('xmlrpc_enabled', '__return_false');

If you want to create a mu-plugin, you could use this code snippet

<?php
/*
Plugin Name: Disable XML-RPC
Description: Disable XML-RPC in WordPress for security.
Author: TicoLibre
Version: 1.0
*/
add_filter('xmlrpc_enabled', '__return_false');

Mu-plugins ensure they can’t be deactivated, providing a constant layer of protection.


Disable XML-RPC with Exceptions

But let’s say that you want to block access to the XML-RPC for everyone, except for one or two services out there.

You could easily do that by finding out the IP’s used by such services and create exceptions for them.

This is a little bit more complex mu-plugin to handle exceptions.

<?php
/*
Plugin Name: Conditional Disable XML-RPC
Description: Disable XML-RPC with exceptions for specific IP addresses.
Author: TicoLibre
Version: 1.0
*/
// Exit if accessed directly
if (!defined('ABSPATH')) {
    exit;
}
function conditional_disable_xmlrpc($enabled) {
    // List of IP addresses to allow XML-RPC for
    $allowed_ips = array(
        '123.456.789.0', // Replace with the allowed IP addresses
        '987.654.321.0',
    );
    // Get the visitor's IP address
    $visitor_ip = $_SERVER['REMOTE_ADDR'];
    // Check if the visitor's IP address is in the allowed list
    if (in_array($visitor_ip, $allowed_ips)) {
        return true; // Enable XML-RPC for allowed IP addresses
    }
    return false; // Disable XML-RPC for all other IP addresses
}
add_filter('xmlrpc_enabled', 'conditional_disable_xmlrpc');

Manuel Campos

Manuel Campos

I am José Manuel. I am writing about things I know and things that I am learning about WordPress. I hope you find the content of this blog useful.