XML-RPC is a feature of WordPress that enables remote access to WordPress sites. While it can be useful in some situations, it can also be a security risk.
Attackers can use XML-RPC to send multiple login attempts in a single request.
To disable XML-RPC in WordPress, you can use a plugin like Disable XML-RPC which has more than 200,000+ active installations.
Disable XML-RPC Code Snippet
If you don’t have love for one more plugin, simply add the following code to your site via the functions.php file of your site’s child theme.
add_filter('xmlrpc_enabled', '__return_false');If you want to create a mu-plugin, you could use this code snippet
<?php
/*
Plugin Name: Disable XML-RPC
Description: Disable XML-RPC in WordPress for security.
Author: TicoLibre
Version: 1.0
*/
add_filter('xmlrpc_enabled', '__return_false');
Disable XML-RPC with Exceptions
But let’s say that you want to block access to the XML-RPC for everyone, except for one or two services out there.
You could easily do that by finding out the IP’s used by such services and create exceptions for them.
This is a little bit more complex mu-plugin to handle exceptions.
<?php
/*
Plugin Name: Conditional Disable XML-RPC
Description: Disable XML-RPC with exceptions for specific IP addresses.
Author: TicoLibre
Version: 1.0
*/
// Exit if accessed directly
if (!defined('ABSPATH')) {
exit;
}
function conditional_disable_xmlrpc($enabled) {
// List of IP addresses to allow XML-RPC for
$allowed_ips = array(
'123.456.789.0', // Replace with the allowed IP addresses
'987.654.321.0',
);
// Get the visitor's IP address
$visitor_ip = $_SERVER['REMOTE_ADDR'];
// Check if the visitor's IP address is in the allowed list
if (in_array($visitor_ip, $allowed_ips)) {
return true; // Enable XML-RPC for allowed IP addresses
}
return false; // Disable XML-RPC for all other IP addresses
}
add_filter('xmlrpc_enabled', 'conditional_disable_xmlrpc');
