Disable XMLRPC in WordPress Applications

A comprehensive step-by-step guide on how to enable/disable XMLRPC access from the Cloudways Platform.

Emmad avatar
Written by Emmad
Updated over a week ago

What is XMLRPC?

XMLRPC refers to XML Remote Procedure Calls, and it is a WordPress feature allowing you to build remote connections between your WordPress site and external applications.

Over the latest WordPress releases, the use of XMLRPC has declined. It still exists in the WordPress application to support backward compatibility. WordPress sites with outdated systems still use it.

WordPress has already brought an alternative solution called WordPress REST API, which offers more flexibility to communicate with a range of systems outside of WordPress. You can communicate with your site using desktop clients, other blogging platforms, WordPress mobile app, WordPress.com (for plugins, e.g., Jetpack) with REST API.

Why Should I Disable XMLRPC?

Malicious actors overwhelm the website by launching security attacks on endpoints such as wp-login.php and xmlrpc.php. These attacks are recognized by the number of POST requests targeting your xmlrpc.php file and they consume most of your server resources and affect server performance. The most common security attack is a Brute Force attack targeted to gain illicit access to a website. WordPress offers a powerful and alternative solution called REST API; therefore, you should disable XMLRPC on your site.

XMLRPC access is disabled by default which means that the traffic to the xmlrpc.php file is not entertained. In other words, your website does not accept POST requests targeting the xmlrpc.php file. This helps to prevent your website from malicious attacks. To further protect your application, you can also activate Bot Protection, which aims to identify, block malicious traffic, and offer protection against such malicious attacks.

How to Disable XMLRPC Access

To reiterate, XMLRPC access is disabled by default. If your application has XMLRPC access enabled and you want to disable it, you can follow these steps.

Securing WordPress — Navigate to Application Settings

Log in to your Cloudways Platform using your credentials.

  1. From the top menu bar, open Servers.

  2. Then, choose the server where your desired application is deployed.

3. Next, click www.

4. Choose your application’s name.

5. Under Application Management, select Application Settings.

Securing WordPress — Disable XMLRPC Access

  1. Scroll down in Application Settings and Disable XMLRPC Access.

You will be prompted here about disabling XMLRPC. Click OK to confirm.

That’s it! We hope this tutorial was helpful. If you need any help, then feel free to search your query on Cloudways Support Center or contact us via chat (Need a Hand > Send us a Message). Alternatively, you can also create a support ticket.

Did this answer your question?