How to Block XML-RPC Attacks?
How to Disable xmlrpc.php in WordPress?

What is XML-RPC?

XML-RPC is a remote procedure call which uses XML to encode its calls and HTTP as a transport mechanism. In short, it is a system that allows you to post on your WordPress blog using WordPress mobile app. It is also needed if you want to make connections to services like IFTTT.

If you want to access and publish to your blog remotely, then you need XML-RPC enabled.

How to Disable XML-RPC



Login Security – Disable XML-RPC authentication

Disable XML-RPC

Disable XML-RPC.

Actvate plugin

WordPress filter

All you have to do is paste the following code in a site-specific plugin:

add_filter('xmlrpc_enabled', '__return_false');

Via .htaccess

Simply paste the following code in your .htaccess file:

<Files xmlrpc.php>
	order deny,allow
	deny from all
	allow from

WAF – Web Application Firewall


Cloudlfare – Firewall Rules – URI contains xmlrpc.php

If you have found a spelling error, please, notify us by selecting that text and pressing Ctrl+Enter.

Scroll up

Spelling error report

The following text will be sent to our editors: