Block XML-RPC in WordPress

Last Revised: October 2, 2021

One of the advantages of WordPress is its flexibility when it comes to being used by third-party applications, and for them many use the XML-RPC standard that allows interaction with the number of the content manager. Obviously, if you disable this technology you will not be able to use programs like Open Live Writer or tools like IFTTT and even the WordPress App itself for Android or iOS.

There is a very interesting tool to verify the operation or not of this technology, called WordPress XML-RPC Validation Service.

Disable XML-RPC

add_filter('xmlrpc_enabled', '__return_false');

Step-by-step instructions

  1. Create the plugin or download it already created (unzip the ZIP file).
  2. Ftp access the [/wp-content/mu-plugins/] folder. If you don’t have this folder, create it.
  3. FTP upload the file [wpdanger-xmlrpc.php] to the folder [/wp-content/mu-plugins/].
  4. When you enter the administration panel of your WordPress, in the Plugins area you will have a new section of Essential plugins where it will appear. Remember that being Essential you will not be able to activate or deactivate it.

Disable XML-RPC Pingbacks

function wpdanger_xmlrpc_ping($methods) {
  unset($methods['pingback.ping']);
  unset($methods['pingback.extensions.getPingbacks']);
  return $methods;
}
function wpdanger_xmlrpc_header($headers) {
  unset($headers['X-Pingback']);
  return $headers;
}
add_filter('xmlrpc_methods', 'wpdanger_xmlrpc_ping', 9999, 2);
add_filter('wp_headers', 'wpdanger_xmlrpc_header', 9999, 2);

Step-by-step instructions

  1. Create the plugin or download it already created (unzip the ZIP file).
  2. Ftp access the [/wp-content/mu-plugins/] folder. If you don’t have this folder, create it.
  3. FTP upload the file [wpdanger-xmlrpc-pingback.php] to the folder [/wp-content/mu-plugins/].
  4. When you enter the administration panel of your WordPress, in the Plugins area you will have a new section of Essential plugins where it will appear. Remember that being Essential you will not be able to activate or deactivate it.

Allow limited IP access

As this method can be very aggressive, you can consider other lighter options that in the near future allow you to add, for example, an IP from which you can access, but the rest do not.

In Apache HTTPD (inside the .htaccess file):

<Files xmlrpc.php>
  order deny, allow
  deny from all
  allow from 8.8.8.8
</Files>

You have to change 8.8.8.8 to your IP address

In nginx (within the site configuration file):

location = /xmlrpc.php {
  limit_except POST {
    deny all;
  }
 allow 8.8.8.8;
  access_log off;
  log_not_found off;
}

You have to change 8.8.8.8 to your IP address


Seguir con Seguridad para WordPress


About this document

This document is regulated by the EUPL v1.2 license, published in WP SysAdmin and created by Javier Casares. Please, if you use this content in your website, your presentation or any material you distribute, remember to mention this site or its author, and having to put the material you create under EUPL license.