Last Revised: October 2, 2021
One of the advantages of WordPress is its flexibility when it comes to being used by third-party applications, and for them many use the XML-RPC standard that allows interaction with the number of the content manager. Obviously, if you disable this technology you will not be able to use programs like Open Live Writer or tools like IFTTT and even the WordPress App itself for Android or iOS.
There is a very interesting tool to verify the operation or not of this technology, called WordPress XML-RPC Validation Service.
- Disable XML-RPC
- Disable XML-RPC Pingbacks
- Allow limited IP access
- Seguir con Seguridad para WordPress
- About this document
Disable XML-RPC
add_filter('xmlrpc_enabled', '__return_false');
Step-by-step instructions
- Create the plugin or download it already created (unzip the ZIP file).
- Ftp access the [
/wp-content/mu-plugins/
] folder. If you don’t have this folder, create it. - FTP upload the file [
wpdanger-xmlrpc.php
] to the folder [/wp-content/mu-plugins/
]. - When you enter the administration panel of your WordPress, in the Plugins area you will have a new section of Essential plugins where it will appear. Remember that being Essential you will not be able to activate or deactivate it.

Disable XML-RPC Pingbacks
function wpdanger_xmlrpc_ping($methods) {
unset($methods['pingback.ping']);
unset($methods['pingback.extensions.getPingbacks']);
return $methods;
}
function wpdanger_xmlrpc_header($headers) {
unset($headers['X-Pingback']);
return $headers;
}
add_filter('xmlrpc_methods', 'wpdanger_xmlrpc_ping', 9999, 2);
add_filter('wp_headers', 'wpdanger_xmlrpc_header', 9999, 2);
Step-by-step instructions
- Create the plugin or download it already created (unzip the ZIP file).
- Ftp access the [
/wp-content/mu-plugins/
] folder. If you don’t have this folder, create it. - FTP upload the file [
wpdanger-xmlrpc-pingback.php
] to the folder [/wp-content/mu-plugins/
]. - When you enter the administration panel of your WordPress, in the Plugins area you will have a new section of Essential plugins where it will appear. Remember that being Essential you will not be able to activate or deactivate it.

Allow limited IP access
As this method can be very aggressive, you can consider other lighter options that in the near future allow you to add, for example, an IP from which you can access, but the rest do not.
In Apache HTTPD (inside the .htaccess file):
<Files xmlrpc.php>
order deny, allow
deny from all
allow from 8.8.8.8
</Files>
You have to change 8.8.8.8 to your IP address
In nginx (within the site configuration file):
location = /xmlrpc.php {
limit_except POST {
deny all;
}
allow 8.8.8.8;
access_log off;
log_not_found off;
}
You have to change 8.8.8.8 to your IP address
Seguir con Seguridad para WordPress
Actual
- wp-config.php
- Security Keys
- Cookies
- Cabeceras inconvenientes
- Unificar CSS y JavaScript
- Ocultar la versión de WordPress
- Caché
- Carpetas por defecto
- Post instalación
- Edición de ficheros
- URL del sitio
- Servidores externos
- XML-RPC
- Acceso a wp-admin
- Actualizaciones automáticas
- Usuarios
- Limpieza de multimedia
- robots.txt
- Plantilla por defecto
- Emoji
- Subir ficheros sin filtro
About this document
This document is regulated by the EUPL v1.2 license, published in WP SysAdmin and created by Javier Casares. Please, if you use this content in your website, your presentation or any material you distribute, remember to mention this site or its author, and having to put the material you create under EUPL license.