XML-RPC (xmlrpc.php) is an older WordPress feature that lets external apps talk to your site. It’s also a favorite target for brute-force amplification and DDoS attacks. Here’s how to decide whether to disable it — and how to do it safely.
What XML-RPC does
It powers remote publishing, pingbacks, and some mobile/third-party app integrations. Most modern sites rely on the REST API instead, so many can disable XML-RPC with no downside.
Why it’s a security risk
XML-RPC’s system.multicall method lets attackers attempt many logins in a single request — amplifying brute-force attacks — and pingbacks can be abused for DDoS reflection.
How to disable it
- Use a security or activity-log plugin that can block XML-RPC with one toggle (easiest).
- Block it at the server level via .htaccess if you’re comfortable editing files.
- Confirm nothing you use (e.g., the Jetpack or a remote posting app) depends on it first.
When to leave it on (but protect it)
If you genuinely need XML-RPC, don’t just leave it exposed — monitor and rate-limit it. Obzervi protects XML-RPC alongside the login page and REST API, logging and blocking abusive requests instead of forcing an all-or-nothing choice.
Not sure if XML-RPC is being attacked on your site? Obzervi shows you — install free.
