Disable XML-RPC in WordPress

Disable XML-RPC in WordPress

WordPress XML-RPC can be used to try several thousands passwords in a short time – great for hackers using brute force attacks. To avoid this, you can disable XML-RPC by adding this line of code to your WordPress installation:

add_filter( 'xmlrpc_enabled', '__return_false' );

This line does not disable XML-RPC completly – but it disables all XML-RPC calls that require user authentication. In that way, XML-RPC cannot be used for password validation.

Another way is to disable the xmlrpc.php at webserver level by adding this to your .htaccess:

# Block xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all

In that way, WordPress does not have to handle the requests, because they are blocked at webserver level.