How to disable Xmlrpc.php access in WordPress

XML-RPC is a feature of WordPress that allows data transmission over HTTP using XML as the encoding mechanism. It was originally created to facilitate communication between WordPress and other systems. An example use case is publishing from a mobile device to your site via the remote access feature enabled by xmlrpc.php.

XML-RPC-related security issues have recently arisen, and the use of XML-RPC will be deprecated with the use of the new WordPress API. Since XML-RPC is rarely used, it can be completely disabled in your WordPress site.

Disable Xmlrpc.php in WordPress-Apache Web Server

If you are using an Apache web server, you can add the following code block to open the web configuration file and prevent users from accessing xmlrpc.php:

# Block access to WordPress xmlrpc.php

  Order Deny,Allow
  Deny from all

If you only allow access from trusted networks, add the IP address as shown below.

# Block access to WordPress xmlrpc.php

  Order Deny,Allow
  Deny from all
  Allow from x.x.x.x
  • Changing x.x.x.x to IP address will access xmlrpc.php from it.

Restart the apache server after changes.

--- Debian / Ubuntu ---
$ sudo systemctl restart apache2

--- CentOS / Fedora / RHEL ---
$ sudo systemctl restart httpd

Disable Xmlrpc.php in WordPress – Nginx web server

For Nginx users, disable access to xmlrpc.php by adding a line like the following to your web configuration population:

location = /xmlrpc.php {
          deny all;
          access_log off;
          log_not_found off;

Restart the Nginx server after making changes.

sudo systemctl restart nginx

If you try to access a PHP script, you should receive a 403 Forbidden error message.

Disable Xmlrpc.php in WordPress using plugin

There are some plugins that can help you disable Xmlrpc.php in WordPress. If you go to the “Plugins” section and search for the keyword “Disable XML-RPC“.

Other security plugins, such as Wordfence Security-Firewall and Malware Scanning, also provide disable options XML-RPC on WordPress.

More guides on the web:

Best free and open source web hosting control panel

How to host a WordPress website with Caddy Web Server

Install Drupal 8 on Debian 10 (Buster) Linux

Best Commercial Panel Alternative