How to Disable the XML-RPC File in WordPress

Published on September 24, 2022 | Updated on July 6, 2024

XML-RPC is a feature of WordPress that enables remote access to WordPress sites. While it can be useful in some situations, it can also be a security risk.

Attackers can use XML-RPC to send multiple login attempts in a single request.

To disable XML-RPC in WordPress, you can use a plugin like Disable XML-RPC which has more than 200,000+ active installations.

Disable XML-RPC Code Snippet

If you don’t have love for one more plugin, simply add the following code to your site via the functions.php file of your site’s child theme.

add_filter('xmlrpc_enabled', '__return_false');

If you want to create a mu-plugin, you could use this code snippet

Plugin Name: Disable XML-RPC
Description: Disable XML-RPC in WordPress for security.
Author: TicoLibre
Version: 1.0

add_filter('xmlrpc_enabled', '__return_false');

Disable XML-RPC with Exceptions

But let’s say that you want to block access to the XML-RPC for everyone, except for one or two services out there.

You could easily do that by finding out the IP’s used by such services and create exceptions for them.

This is a little bit more complex mu-plugin to handle exceptions.

Plugin Name: Conditional Disable XML-RPC
Description: Disable XML-RPC with exceptions for specific IP addresses.
Author: TicoLibre
Version: 1.0

// Exit if accessed directly
if (!defined('ABSPATH')) {

function conditional_disable_xmlrpc($enabled) {
    // List of IP addresses to allow XML-RPC for
    $allowed_ips = array(
        '123.456.789.0', // Replace with the allowed IP addresses

    // Get the visitor's IP address
    $visitor_ip = $_SERVER['REMOTE_ADDR'];

    // Check if the visitor's IP address is in the allowed list
    if (in_array($visitor_ip, $allowed_ips)) {
        return true; // Enable XML-RPC for allowed IP addresses

    return false; // Disable XML-RPC for all other IP addresses

add_filter('xmlrpc_enabled', 'conditional_disable_xmlrpc');

Manuel Campos

Manuel Campos

I am José Manuel. I am writing about things I know and things that I am learning about WordPress. I hope you find the content of this blog useful.






© 2024 WP SURFER • Made with Love in Costa Rica