XML-RPC is enabled by default since WordPress version 3.5. It allows some external services and applications to access and modify content on your site. Some examples of the services are the JetPack plugin, WordPress mobile apps, and pingbacks. If you are not using the services and applications, you might consider disabling XML-RPC to prevent brute force attacks on the xmlrpc.php file.
Using the xmlrpc_enabled Filter
To disable XML-RPC, add the following code to your theme’s functions.php file.
add_filter( 'xmlrpc_enabled', '__return_false' );
After adding the code, you can check if XML-RPC is successfully disabled using the WordPress XML-RPC Validation Service. Just insert your site address then click on the Check button there, and a check will be started against your site.
The code above does not fully disable XML-RPC, it only controls whether XML-RPC methods requiring authentication are enabled. This means that pingbacks are not disabled by using the code.
You can disable pingbacks from your WordPress Dashboard (wp-admin). Simply go to Settings » Discussion, then uncheck the checkbox for “Allow link notifications from other blogs (pingbacks and trackbacks) on new articles”.
Please note that the setting only applies to new posts. To disable pingbacks on older posts, follow these steps:
- From your WordPress dashboard, go to Posts » All Posts page.
- Select all posts.
- In the Bulk Actions drop down, choose “Edit” and then click Apply.
- In the Pings drop down, choose “Do not allow”.
- Click the Update button.
Block Public Access to xmlrpc.php
Last but not least, add the snippet below to your .htaccess file to block all XML-RPC requests:
# Block all XML-RPC requests <Files xmlrpc.php> <IfModule mod_authz_core.c> Require all denied </IfModule> <IfModule !mod_authz_core.c> Order allow,deny Deny from all </IfModule> </Files>