Disable XML-RPC API in WordPress

Cover Image: XML RPC Article

XML-RPC has been the method of choice for many hackers. The term may sound too technical for a majority of WordPress users but in short, XML-RPC an API that allows you to publish posts without having to be logged in to your WordPress admin. The benefits of XML-RPC is that it allows third-party applications like JetPack to push content and commands to your WordPress site, creating a more streamlined experience for users like yourself. The problem is that a hacker doesn’t necessarily have to know your strong username and password to gain access to your site now. All they need is the credentials to your API, which can be obtained from any apps with which you’ve already integrated if they become compromised. Making matters worse, you don’t have control over the environments where your API credentials may have been obtained without authorization. For example, if you use a plugin or a third-party application that integrates with your WordPress site using XML-RPC but the third-party application is hacked, your API credentials may be compromised.

With this information, hackers or unauthorized users can push content, code, or commands to your WordPress site. The effect is no different than a hacker gaining direct access to your WordPress admin.

The solution to this is simple if you don’t use XML-RPC: Disable it.

But if you use any plugins or apps that use XML-RPC, you can also selectively enable it for certain applications but block it for the rest.

Both of these can be achieved through simple plugins that don’t weigh down your site. Here are the list of plugins that will help you restrict XML-RPC:

1. Disable XML-RPC

As the name states, the plugin is rather straightforward and easy to use. Once you download the plugin from the WordPress repository, simply activate it and XML-RPC will be disabled sitewide.

It’s very simple to use. However, if you need to selectively disable/enable XML-RPC or allow certain apps to use XML-RPC, then this plugin isn’t for you.

Download from the WordPress Repository

2. Disable XML-RPC Pingback

Image: XML RPC Pingback WordPress Plugin

If you use a plugin that requires XML-RPC such as Jetpack, this plugin will protect other legitimate plugins and let them use XML-RPC. However, some of the more commonly abused but unutilized features of XML-RPC will be disabled. This plugin is a scaled-down version of the first plugin above.

Download from the WordPress Repository


Want to read more articles like this one? See 25 Ways to Improve WordPress Security

Sign Up for New Content