Disable XML-RPC For Better WordPress Security

XML-RPC is an outdated website communications method which could leave the back-door open for hackers to get access to your WordPress website.

What Is XML-RPC?

It’s a protocol for sending date to or performing actions on a server, or in our case a WordPress website.

There are two parts to XML-RPC.

RPC stands for Remote Procedure Call where you are asking a remote service to perform an action – update post title, delete user etc.

XML stand for Extensible Markup Language and is the formatted data that is passed to the remote action that it needs to run.

Why Do I Need XML-RPC?

Chances are you don’t.

The XML-RPC protocal is used for the following:

Pingbacks and Trackbacks

Back in yonder days, before Google Analytics, when WordPress was just a blog, emphasis was on link building.

When somebody added your link to their website WordPress uses the XML-RPC protocol to notify you in the comments section of the post.

Does anyone use pingbacks or trackbacks nowadays?

The WordPress Mobile App

WordPress has an official mobile app allowing you to login and update your WordPress website on the go from your mobile device.

It still uses the XML-RPC protocol to send updates to your site, so if you are a mobile app user, then you will still need to keep the protocol in place.

Note: I mean the official WordPress mobile app – not logging in to your website using your phone’s browser.

JetPack Plugin

JetPack is one of the most popular WordPress plugins that connects your website to wordpress.com for content statistics and many more useful functions.

It also still uses the XML-RPC protocol to pull your post statistics down from wordpress.com so if you disable the protocol, that part of JetPack won’t work.

But hey, there’s this thing called Google Analytics!

Is XML-RPC Dangerous?

No, it’s just a protocol like TSL, SSL, HTTP, TCP/IP.

Protocols aren’t dangerous but the things bad actors can do with open-doorways is.

Why Disable XML-RPC Then?

If you don’t need the XML-RPC protocol then why leave a door open?

I like to keep all my website doors closed to intruders.

If there is a chance that a hacker can use an unused pathway or a door to access your website, shouldn’t you close that up just in case?

How To Disable XML-RPC

There are many plugins that will disable the protocol completely.

I also have one called Deactivate XML-RPC Service which will plug that leaky hole in your WordPress website.

When you take out a WP Wingman WordPress Site Care Plan, we will chat to you about all the ways we can beef up your WordPress site security including disabling the XML-RPC service.

Posted in


Wil is a dad, consultant, developer, conference organiser, speaker and business mentor. He co-organizes the WordPress Sydney meetup group and has been on the organising committee for WordCamp Sydney since 2014. He speaks at many special events and contributes to the WordPress open source project. His likes are chillies, craft beer and electrogravitics.
Scroll to Top