XML-RPC in WordPress: The Security and Performance Risk You Should Disable

Q: What XML-RPC Does

XML-RPC (xmlrpc.php) enables remote publishing, pingbacks, and trackbacks. Desktop blogging apps and some mobile apps used it to post content. The Jetpack plugin historically used it for communication with WordPress.com servers.

Q: Why It Is a Problem

XML-RPC supports the system.multicall method, which allows hundreds of login attempts in a single HTTP request. Rate limiting on wp-login.php does not apply here. Attackers can try thousands of passwords per minute through this single endpoint.

Q: How to Disable XML-RPC

Add to your theme's functions.php or a custom plugin:

XML-RPC is a remote procedure call protocol that WordPress has supported since before the REST API existed. It allows external applications to communicate with your WordPress site — but in 2026, it is mostly a liability.

What XML-RPC Does

XML-RPC (xmlrpc.php) enables remote publishing, pingbacks, and trackbacks. Desktop blogging apps and some mobile apps used it to post content. The Jetpack plugin historically used it for communication with WordPress.com servers.

Why It Is a Problem

Brute Force Amplification

XML-RPC supports the system.multicall method, which allows hundreds of login attempts in a single HTTP request. Rate limiting on wp-login.php does not apply here. Attackers can try thousands of passwords per minute through this single endpoint.

DDoS Vector

The pingback feature can be abused to turn your site into a participant in DDoS attacks. Attackers send pingback requests from your server to a target, using your server as an amplifier.

Performance Drain

Even if no one is actively exploiting it, bots constantly probe xmlrpc.php. Every request triggers PHP execution, database queries for authentication, and consumes a PHP worker. On resource-limited hosting, this bot traffic can degrade performance for real visitors.

How to Disable XML-RPC

Method 1: WordPress Filter

Add to your theme’s functions.php or a custom plugin:

add_filter( 'xmlrpc_enabled', '__return_false' );

This disables XML-RPC at the WordPress level, but PHP still executes on each request.

Method 2: Block at Web Server (Recommended)

Block it before PHP even loads. For Nginx:

location = /xmlrpc.php {
    deny all;
    return 403;
}

For Apache (.htaccess):

<Files xmlrpc.php>
    Require all denied
</Files>

Before You Disable

Check if anything uses XML-RPC on your site:

Jetpack — Older versions required XML-RPC. Current versions can use the REST API instead.
Mobile apps — The WordPress mobile app now uses the REST API.
Remote publishing tools — Some legacy tools still use XML-RPC. Switch to REST API alternatives.

For most sites in 2026, nothing depends on XML-RPC anymore.

If you want a quick toggle without editing server configs, WP Multitool’s Frontend Tweaks module includes XML-RPC disabling along with other security and performance toggles — one click, no code editing required.

Disabling XML-RPC is one of those rare changes that improves both security and performance with zero downside for modern WordPress sites.