Wordpress Pingback XMLRPC
Pingback XMLRPC
all in one wp security and firewall
Are XML-RPC attacks dangerous in WordPress?

WordPress XML-RPC /Brute Force /DDoS attack

Weve come along way since WordPress was first launched. Back in the day, the feature called XML-RPC was extremely useful. In a time with slow internet speed and constant lags, it was difficult to write content online in real-time, like we do now. The XML-RPC function enabled users to write their content offline, say on Microsoft Word, and then publish it all together in one go. But you might did not know that you should disable XMLRPC in your WordPress website.
Today, with faster internet speeds, the XML-RPC function has become redundant to most users. It still exists because the WordPress app and some plugins like JetPack utilize this feature.
If you dont use any of these plugins, mobile apps, or remote connections, its best to disable it. Why? Every additional element on your site gives hacks one more opportunity to try to break into your site. Disabling the feature makes your site more secure.
In this article, well show you why and how to disable XML-RPC.

What Is XML-RPC?

XML-RPC is a feature of WordPress. It enables a remote device like the WordPress application on your smartphone to send data to your WordPress website. If you want to publish an article on your WordPress website via the WordPress application, XML-RPC is what enables you to do that.
If you look at the phrase XML-RPC, it has two parts. RPC is a Remote Procedure Call which means you can remotely call for actions to be performed. And here, XML (Extensible Markup Language) is used to encode the data that needs to be sent.

Do You Need XML-RPC?

To decide if you need XMLRPC, you have to first understand what functions does the XMLRPC serves on your WordPress website. The file serves three primary functions:

    • WordPress App If you use the WordPress app on your mobile device to post to your site, you need XML-RPC. The app uses this function to communicate to your WordPress website by making a remote connection.
    • Trackbacks and pingbacks When you publish content, if you have provided a link to another blog or a website, this feature will alert the other website that youve linked to them. Trackbacks are created manually while pingbacks are automated. If you use these options, you need access to the XML-RPC.php file to be enabled.
    • JetPack plugin JetPack is a popular plugin that is used by over 5 million WordPress sites. It offers services related to security, performance and site management. It uses XML-RPC to communicate with WordPress.com. If youre a subscriber of JetPack, you need XML-RPC enabled.

Is XML-RPC Dangerous?

The straightforward answer is no. But we cant stop there. Lets take a step back.
Initially, a manual WordPress installation had XML-RPC disabled by default. To enable it, you had to go to Settings > Writing > Remote Publishing. However, from version 3.5 onwards, WordPress has it enabled by default and the option to enable or disable it was removed.
In September 2015, a vulnerability appeared in the XML-RPC function. WordPress released a patch immediately in version 4.4.1. But millions of websites are still running on outdated versions which put them at potential risk of being hacked.
XML-RPC is safe, so long as youve installed WordPress version 4.4.1 or higher.
75% of WordPress sites are running on outdated versions! Update your website to avoid the risk of being hacked. Click To Tweet

Then why do we recommend disabling it?

Hackers try to find any element on your website that has a weakness. They exploit it and break into your site. With XML-RPC, there are two weaknesses that could possibly be exploited by hackers:

    1. When you want to publish content from a remote device, an XML-RPC request is created. These requests are authenticated with a simple username and password. This is a basic security check. If a hacker manages to get their hands on these credentials, they could use it to send their own requests. In this way, they gain access to your site.
    2. XML-RPC is designed for users to publish content in large volumes. This enables brute force attacks wherein hackers use bots to try to guess your username and password. Through the XML-RPC function, they can make login attempts by sending large amounts to guess your credentials.

Lastly, if a hacker has already gained access to your site, they can misuse the XML-RPC pingback function to carry out DDoS attacks. In such an attack, hackers bring down websites (usually ones of big brands or governments) by sending pingbacks from thousands of sites. This sudden surge in data being received overloads the targets web server and can possibly crash the site.
In the previous section, we mentioned why you need XMLRPC. But if you are not using the WordPress mobile app nor the JetPack plugin and if you dont find trackbacks and pingbacks useful then its best to disable the xmlrpc.php files.
By disabling it, you will ensure that the feature/function cannot be used to hack your WordPress website.

How to disable XML-RPC in WordPress

You can block the XML-RPC feature on your WordPress website manually or you could use a plugin. We recommend using a plugin because its faster, simpler and doesnt carry any risk. The manual method involves making changes to your WordPress files which is always risky business. That said, well show you both the methods.

Disable XML-RPC using a plugin

To block WordPress xmlrpc.php requests, there is a plugin called Disable XML-RPC that you can use. Its simple and straightforward. Heres how you can set it up on your site:
1. Login to your wp-admin dashboard.
2. On the left-hand menu, choose Plugins.
3. Here, click on Add New.

4. Here, search for the Disable XML-RPC plugin. The plugin is compatible with any WordPress site running on version 3.5 and above.

5. Install and activate the plugin. It will automatically disable WordPress xmlrpc.php in once you activate the plugin.
6. If you ever want to enable XMLRPC, then just deactivate the plugin.

Disable XML-RPC Manually

As we mentioned earlier, the manual method is risky, hence you need to take a few precautions before you disable XMLRPC on your WordPress site.

    • Take a full backup of your WordPress site. In the manual method, we will be Altering WordPress files which carries high risk. Small mistakes can end up breaking your website. If things go wrong, you can always restore your backup.
    • We recommend using a staging WordPress site to disable XML-RPC manually. Here, you can make changes to the staging site without affecting your live site. Once youre sure it works fine, you can simply push the change to your live site. Staging sites are easy to create with the BlogVault plugin. Alternatively, your host may provide you with this option.

With these precautions handled, we can begin with the manual method of disabling XML-RPC on your WordPress site:
1. Login to your WordPress hosting platform account and go to cPanel. Here, you will see File Manager.

2. Once inside the file manager, youll see a list of folders. Your websites folders should be under the folder named public_html. It will have three main folders wp-admin, wp-content, and wp-includes.

3. Find the htaccess file here. And if you dont, you can use the search bar on the top-right of the screen to look for it.


If your website has a .htaccess file but you cant see it, visit settings and click on show hidden files.

If your website doesnt have an htaccess file, you can create one. Use the +File option on the top-left corner of the screen.

4. Open the .htaccess file by right-clicking and choosing Edit.
5. Paste the following code that disables XML-RPC to this file:
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx
If you would like to retain XML-RPC from a particular IP, replace xxx.xxx.xxx.xxx with your IP address, Otherwise, you can simply delete this line.
6. Save and close the file.

No Access to File Manager

If you dont have access to File Manager, you can carry out the same process using an FTP client. Follow our WordPress Tutorial on using FTP. WordPress XML-RPC should be disabled on your website. If you used a WordPress staging site, merge the changes. If you are not using a staging site, replicate the steps on the live site. We recommend that you visit your site and check your pages to make sure everything is functioning fine.
I disabled XML-RPC on my WordPress site with this easy step-by-step guide from MalCare.


Remember, if you choose to use the XML-RPC function, make sure your WordPress installation is updated. You need to be using version 4.4.1 or higher to ensure your website is not at risk of being hacked.
If you dont need the XML-RPC feature, disabling it makes your site more secure against hackers. But this doesnt ensure all-round protection of your WordPress site. Even if you disable XML-RPC in WordPress, there are many other ways of hacking your website.