I’ve been working with WordPress ever since 2019 as a full time developer, and contributed to wordpress core a few times, I’ve watched the platform evolve into something truly versatile. But with versatility comes complexity, and one of the features that has caused some friction over the years is XML-RPC. Let’s face it, XML-RPC used to be handy for mobile publishing and certain integrations, but it’s now often exploited by malicious actors trying to brute force login credentials or launch DDoS attacks. If you’re like me and value a good night’s sleep (and a secure site), disabling XML-RPC might be the way to go.
First off, you don’t have to turn to a plugin for this. I’m not opposed to plugins—far from it—but there’s something neat and efficient about using what’s already under your hood. If you’re comfortable editing server configurations, .htaccess is your friend. A quick tweak and you’re well on your way to a less attractive target for attackers.
Here’s the snippet I often recommend. Pop this into your .htaccess file at the root of your WordPress installation:
apache
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/xmlrpc\.php$
RewriteRule .* - [F,L]
</IfModule>
What this does is simple: any requests that try to access the xmlrpc.php file get served a big “Nope!” in the form of a 403 Forbidden response. It’s like putting a closed sign on a backdoor that you never really wanted open in the first place. By doing this, you stop bots and hackers from leveraging XML-RPC as an entry point into your site’s admin features.
Don’t want to muck around in .htaccess? That’s fine, you can also drop a few lines of PHP in your functions.php file or a custom functionality plugin if you prefer to keep configuration at the theme or plugin level:
add_filter('xmlrpc_enabled', '__return_false');
This single filter hook tells WordPress itself, “Hey, we don’t need XML-RPC anymore—please disable it.” It’s a gentle yet effective way to cut off the feature at the core, ensuring no one can tap into it unexpectedly.
Once you’ve disabled XML-RPC, give your site a test. Try hitting yoursite.com/xmlrpc.php in your browser. Instead of seeing any XML messages, you should get an error page. If that’s the case, congratulations—you’ve closed off a notorious loophole and beefed up your security.
Security is never a one-and-done solution. Disabling XML-RPC is just one piece of the puzzle. Combine it with strong passwords, two-factor authentication, and limited login attempts, and you’ve got a healthier, tougher WordPress environment. It’s a small tweak, sure, but when you’re as passionate about this platform as I am, every little improvement matters. It’s all about keeping our WordPress ecosystems as safe, stable, and user-friendly as possible.