How to Disable XML-RPC on WordPress

How do you turn xml-rpc off in WordPress? Unfortunately, xml-rpc is turned on by default in WordPress. This protocol can be problematic for some users because it’s not secure and exposes a lot of data to the public web. In this post we will show you how to disable xml-rpc on your site so that only logged-in users are able to access it.

What is xml-rpc?

xml-rpc is a remote procedure call protocol. This lets users access content on your site without logging in or clicking around.

xml-rpc can be problematic because it’s not secure and exposes user data to the public web (including usernames, passwords, posts). It also limits functionality for logged-out visitors who want to read your content but are unable to log in as their access is limited by xml-rpc.

Why should I disable it?

It’s better to disable XML-RPC if you’re not making use of it. xml-rpc can also be limiting for logged-out visitors who want to read your content but are unable to log in and still have access because xml-rpc is enabled on the site.

In this post, we will show you how to disable xml-rpc on your site so that your site becomes secure and improves speed.

How do I disable it?

Disabling xml-rpc can be done in a few simple steps. First log into your WordPress site, then go to Settings >> Writing and scroll down until you see the ‘XML-RPC’ option on this page. Simply click on the box that says ‘Enabled’. Now xml-rpc is disabled and will not interfere with your website’s content or functionality.

Another way is to turn off XML-RPC via FTP. To do so, log into your FTP client and find the xmlrpc.php file in the wordpress directory on your server. Rename xmlrpc.php to xmlrpc-old.php

To disable xml-rpc via phpMyAdmin login as a user with rights to edit WordPress settings (or go through the “Super Admin” who has full access). Click on ‘Options’ then scroll down until you see XML-RPC under Database Settings of WordPress options table; uncheck it and click save changes at the bottom right corner of that page to confirm.

What does this mean for my website’s security?

Disabling XML-RPC improves your WordPress site’s security and performance.

XML-RPC is an XML protocol used to transfer data between XML programs, such as features like Blogger and the self-hosted WordPress installation on your own domain or site.

Some people feel that it poses a security threat because when XML-RPC was implemented in WordPress core, very little thought went into its implementation other than ease of use for plugin developers.

Hackers and malware target XML-RPC and try to break your WordPress system. Even though they can’t break your site, but they can definitely slow down your site or even make your site down by doing too many attacks.

When a hacker/malware attacks your XML-RPC, then this single file communicates with the WordPress database and locks Apache and MySQL processes. This can definitely slow down your WordPress.

Is there a way to keep xml-rpc enabled and still have better site performance?

In my opinion, it’s not safe to turn on XML-RPC because it’s definitely will slow down your WordPress. However, if you apply Web Application FireWall (WAF) to your Site then definitely that will block the malicious attacks and then you can easily use XML-RPC

Final thoughts on disabling xml-rpc in WordPress.

  • xml-rpc is not safe to turn on because it will slow down your WordPress.
  • xml-rpc can definitely lock Apache and MySQL processes which makes the site even slower.
  • one of the best ways to keep xml-rpc turned off while still having a fast website is by using Cloudflare’s CDN with SSL/TLS protection, such as their free plan that offers unlimited bandwidth for all sites under 25GB in size!

-Alternatively, use a firewall to prevent spam attacks and use XML-RPC without any worries.


XML-RPC is a protocol for WordPress that allows external applications to interact with the website. It’s not necessary and can be disabled in order to protect your site from malicious code attacks, so we recommend disabling it as soon as possible. To disable XML-RPC on your WordPress website, follow the steps listed above.

If you use Web Application Firewall or Cloudflare CDN, then you can enable XML-RPC without losing your site’s speed and performance.

Related Articles:

Cool Gadgets

WordPress Performance Tips

1 thought on “How to Disable XML-RPC on WordPress”

  1. Pingback: A Comprehensive Comparison: WordPress vs Joomla - Top WordPress Tips

Leave a Comment

Your email address will not be published. Required fields are marked *