{"id":906,"date":"2026-06-18T17:51:22","date_gmt":"2026-06-18T17:51:22","guid":{"rendered":"https:\/\/obzervi.com\/blog\/?p=906"},"modified":"2026-06-19T16:17:41","modified_gmt":"2026-06-19T16:17:41","slug":"disable-xmlrpc-wordpress","status":"publish","type":"post","link":"https:\/\/obzervi.com\/blog\/disable-xmlrpc-wordpress\/","title":{"rendered":"How to Disable XML-RPC in WordPress (and When Not To)"},"content":{"rendered":"<p>XML-RPC (xmlrpc.php) is an older WordPress feature that lets external apps talk to your site. It&#8217;s also a favorite target for brute-force amplification and DDoS attacks. Here&#8217;s how to decide whether to disable it \u2014 and how to do it safely.<\/p>\n<h2>What XML-RPC does<\/h2>\n<p>It powers remote publishing, pingbacks, and some mobile\/third-party app integrations. Most modern sites rely on the REST API instead, so many can disable XML-RPC with no downside.<\/p>\n<h2>Why it&#8217;s a security risk<\/h2>\n<p>XML-RPC&#8217;s system.multicall method lets attackers attempt many logins in a single request \u2014 amplifying brute-force attacks \u2014 and pingbacks can be abused for DDoS reflection.<\/p>\n<h2>How to disable it<\/h2>\n<ul>\n<li>Use a security or activity-log plugin that can block XML-RPC with one toggle (easiest).<\/li>\n<li>Block it at the server level via .htaccess if you&#8217;re comfortable editing files.<\/li>\n<li>Confirm nothing you use (e.g., the Jetpack or a remote posting app) depends on it first.<\/li>\n<\/ul>\n<h2>When to leave it on (but protect it)<\/h2>\n<p>If you genuinely need XML-RPC, don&#8217;t just leave it exposed \u2014 monitor and rate-limit it. Obzervi protects XML-RPC alongside the login page and REST API, logging and blocking abusive requests instead of forcing an all-or-nothing choice.<\/p>\n<blockquote><p>Not sure if XML-RPC is being attacked on your site? Obzervi shows you \u2014 install free.<\/p><\/blockquote>\n","protected":false},"excerpt":{"rendered":"<p>XML-RPC is a common attack vector. Learn what it does, how to disable or protect it safely, and when you should leave it on.<\/p>\n","protected":false},"author":1,"featured_media":948,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10],"tags":[],"class_list":["post-906","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-guides"],"_links":{"self":[{"href":"https:\/\/obzervi.com\/blog\/wp-json\/wp\/v2\/posts\/906","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/obzervi.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/obzervi.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/obzervi.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/obzervi.com\/blog\/wp-json\/wp\/v2\/comments?post=906"}],"version-history":[{"count":1,"href":"https:\/\/obzervi.com\/blog\/wp-json\/wp\/v2\/posts\/906\/revisions"}],"predecessor-version":[{"id":915,"href":"https:\/\/obzervi.com\/blog\/wp-json\/wp\/v2\/posts\/906\/revisions\/915"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/obzervi.com\/blog\/wp-json\/wp\/v2\/media\/948"}],"wp:attachment":[{"href":"https:\/\/obzervi.com\/blog\/wp-json\/wp\/v2\/media?parent=906"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/obzervi.com\/blog\/wp-json\/wp\/v2\/categories?post=906"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/obzervi.com\/blog\/wp-json\/wp\/v2\/tags?post=906"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}