3 Ways to Disable XML-RPC in WordPress [Security]

XML-RPC in WordPress is an useful feature that allows you to remotely publish posts via mobile phones or tablet or Windows Live Writer. However, keeping XML-RPC enabled on your WordPress blog is always a risk. Recently, an attacker used xml-rpc on one of my WordPress blog to send some spam traffic to various websites. But that was an older version of WordPress (on an abandoned website), so even the xml-rpc might had a security hole that allowed an attacker to exploit it. Well, I’m not sure how secure they are (xml-rpc) in latest version of WordPress. If you ever want to disable xml-rpc on WordPress, then there are 3 ways to do it.

Disable XML-RPC via snippets:

Copy and paste the below line in functions.php file

add_filter('xmlrpc_enabled', '__return_false');

Disable XML-RPC via Plugin:

If you don’t want to mess with WordPress code, then a plugin is the safest way to disable xml-rpc. All you need is to install Disable XML-RPC plugin and activate it.

Disable XML-RPC via htaccess:

Copy and paste the below lines in .htaccess file.

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

Note: You may need to allow from few IP addresses, which can achieved using ‘allow from’ attribute as shown below:

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from x.x.x.x
</Files>

Test XML-RPC using curl command:

$ curl -D -  "www.anywordpresssite.com/xmlrpc.php" -d '<methodCall><methodName>pingback.ping</methodName><params><param><value><string>http://victim.com</string></value></param><param><value><string>www.anywordpresssite.com/postchosen</string></value></param></params></methodCall>'

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /xmlrpc.php
on this server.</p>
</body></html>

And the bonus is here…

50 things to do after Installing WordPress…