Welcome back to our 2-part series on the infamous WordPress xmlrpc.php file! This is a second and final part, where we cover exactly how to disable that pesky xmlrpc.php file once and for all, and tighten up the security of your WordPress website. If you haven’t read part 1 of our series, be sure to check that out first and then proceed on below!
How to disable xmlrpc.php
Now that you know what xmlrpc.php is and why it’s worth disabling, we’ll go over how to disable it. But first, you should check whether it’s currently enabled and accessible. There are two simple tests you can perform to check this.
- Visit https://xmlrpc.eritreo.it/, and type in your site’s domain name. The site will tell you whether xmlrpc.php is currently accessible or not.
- Or, go to yourdomain.com/xmlrpc.php. If it’s enabled, you should see a message like “XML-RPC server accepts POST requests only.” If it’s not enabled, you may see a forbidden (403), or a not found (404) error.
If either of those tests showed your xmlrpc.php file as enabled, you can use the following steps to disable it. We’ll go over a few of the different options that you have – using a plugin, modifying your .htaccess file, or adding a filter to your theme’s functions.php file.
Using a plugin
The easiest method is to use a plugin. There are many plugins that offer the functionality to disable xmlrpc.php, some offering more functionality than others.
Today, we’ll be using the most popular plugin on the WordPress plugin repository: Disable XML-RPC. This can be downloaded from the supplied link and then uploaded to your site, or by navigating to your WordPress admin dashboard > Plugins > Add New > Search for “Disable XML-RPC” > Click the “Install Now” button.
That’s it! All you need to do is install and activate the plugin. Once that’s done, it’s also worth using the test at https://xmlrpc.eritreo.it to ensure that it’s definitely disabled.
Other plugins exist to modify only particular functionality of xmlrpc.php. One such popular plugin is “Disable XML-RPC Pingback”. This plugin will only disable the pingback functionality, which can be used for DDoS attempts. This may be an ideal option if you need to use xmlrpc.php for a plugin like Jetpack, but have no need for pingbacks.
Modifying your .htaccess file
Our second option is slightly more complicated than simply installing a plugin, and should only be attempted if you’re familiar with modifying your site’s files directly. As always, we strongly suggest that a backup is taken prior to making any changes to your files.
In order to proceed and modify your .htaccess file, you will need to be using a Litespeed or Apache server. There are many ways to determine your server environment – but if you’re not sure, you can take a look through the file manager, FTP, or SSH for your .htaccess file.
Once you have located your .htaccess file, you will need to open it up and modify it. This can be done through cPanel or Plesk’s file manager, FTP, or any other way you prefer to manage your site’s files. You will need to add the following code to your .htaccess file:
# Disable xmlrpc.php for security
<files xmlrpc.php>
order allow,deny
deny from all
</files>
The above code will block all access to your xmlrpc.php file. Alternatively, you can use the following code to block access to the file for all but a specific IP address (or multiple IP addresses):
# Disable xmlrpc.php for security
<files xmlrpc.php>
order deny,allow
deny from all
allow from 123.123.123.123
</files>
Simply replace 123.123.123.123 with the IP address that you would like to allow access to the file. One potential use for this is blocking all access to xmlrpc.php besides Jetpack’s IP addresses, which can be found here.
As we did with the plugin method, you can then test your site to ensure that xmlrpc.php is disabled using the xmlrpc.php validator site: https://xmlrpc.eritreo.it.
Using your theme’s function.php file
This is the most complex method of the three that we’re covering in this guide. This method involves adding a filter to your theme’s functions.php file. Whenever you’re modifying your theme’s functions.php file directly, it’s recommended that you’re using a child theme or a theme editing plugin to ensure that your changes aren’t overwritten when you perform a theme update. You can learn more about child themes at https://developer.wordpress.org/themes/advanced-topics/child-themes/.
If you would prefer to not utilise a child theme, there are plugin options that will allow you to modify your functions.php file without having your changes overwritten. One such plugin is Theme Customisations.
Whichever method you choose, you will need to add the following code to your functions.php file to disable xmlrpc.php.
add_filter( ‘xmlrpc_enabled’, ‘__return_false’ );
Once that has been completed, simply save your file and then validate that the change has been successful. You can use https://xmlrpc.eritreo.it to validate that your xmlrpc.php file has definitely been disabled.
Conclusion
This wraps up our guide on the xmlrpc.php file, where we’ve covered some of its history, what the security risks are, and how you can disable it on your own site. We hope that this has been helpful in further securing your WordPress website from a variety of common attacks!
As always, if you have any questions about this post or our shared hosting, VPS, reseller or dedicated server plans, simply call us on 1300 MY HOST (694 678) during business hours, or submit a ticket through our Support Portal and one of the crew will be in touch!
