How to Disable XML-RPC in WordPress 2016

Last week, a friend of mine asked me a question. Do you know what is XML-RPC?  And how to disable XML-RPC in WordPress?

XML-RPC is a remote procedure call (RPC) protocol which uses XML to encode its calls and HTTP as a transport mechanism. “XML-RPC” also refers generically to the use of XML for remote procedure call, independently of the specific protocol.


Q2: know what that’s for?

If you want to access and publish to your blog remotely, then you need XML-RPC enabled.

But like other things, it has both advantages and disadvantages. It still provides an additional surface for attack if a vulnerability was ever found. So keeping it disabled would make more sense.

How to Disable XML-RPC in WordPress

1.Install the plugin

You can just install the plugin called Disable XML-RPC.


2.Paste the following code in your Theme Functions File

add_filter('xmlrpc_enabled', '__return_false')

3.Block WordPress xmlrpc.php requests with .htaccess

Simply paste the following code in your .htaccess file:

# BEGIN protect xmlrpc.php
<files xmlrpc="" php="">
order allow,deny
deny from all
# END protect xmlrpc.php

If you don’t use any mobile app or remote connections to publish on your blog, you can disable XML-RPC by default.