Think of XML-RPC like a special doorbell for your WordPress site. It lets other apps and tools ring that doorbell to connect with your site. But, in the past, some hacked used XML-RPC to sneak into WordPress sites.

So, in this guide, we’ll walk you through how to turn off this doorbell feature (XML-RPC) in WordPress to keep your site safer.

Disable XML-RPC with .htaccess file

Luckily, Apache lets you do this with a simple directive for disabling XML-RPC for your wordpress installation.

Just open your website’s root folder via FTP or cPanel file manager, and find .htaccess file. (Note: If you cannot see it there in cPanel file manager, then it means that the file is hidden. Please go to file manager settings and make sure that “show hidden files” option is checked). Next, Edit .htaccess file. And add this line of code on top:

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
 deny from all
allow from 123.123.123.123
</Files>
Note: Please change allow from 123.123.123.123 part. You can add any ip that you want to allow xmlrpc access from. If you want to block it all together then just remove this line.

Disable WordPress XML-RPC With a Plugin

Simply install and activate the “Disable XML-RPC-API” plugin to your WordPress site. Once it’s set up, it stops the unwanted doorbell feature (XML-RPC) right away.

If you ever want to adjust its settings, like giving access to specific trusted users, just head to the plugin’s options. From there, you can set it to recognize and allow certain visitors by listing their special addresses.

Testing if XML-RPC is disabled on your WordPress website

To make sure the unwanted doorbell (XML-RPC) is turned off on your WordPress site, you can do a quick check.

Just type in your website address followed by “/xmlrpc.php” in your browser, like this: “http://yourwebsite.com/xmlrpc.php”. Please replace yourwebsite.com with your site url/address.

If you did things right, you’ll see a message saying something like, “Forbidden: You don’t have permission to access this resource.” This means it’s turned off and working as it should.

That’s all for this tutorial. If you want to know how to keep WordPress secure in 2024 go to this link here.

If you have questions, Please feel free to put it in the comments section below

Was this article helpful?
YesNo

Leave a Reply

Your email address will not be published. Required fields are marked *

Close Search Window