To disable XML-RPC completely on sites running WordPress 3.5+, you can either add a code snippet to your theme’s functions.php file or create a small plugin to achieve this. Here are the steps for both methods:
Method 1: Add Code to functions.php
- Open your theme’s functions.php file (located in wp-content/themes/your-theme/).
- Add the following code to disable XML-RPC:
// Disable XML-RPC
add_filter('xmlrpc_enabled', '__return_false');
// Remove the RSD link from the header
remove_action('wp_head', 'rsd_link');
// Block XML-RPC requests
add_filter('xmlrpc_methods', function() {
return [];
});
Method 2: Create a Custom Plugin
- Create a new file in your wp-content/plugins/ directory, for example, disable-xmlrpc.php.
- Add the following code to the file:
<?php
/*
Plugin Name: Disable XML-RPC
Description: Completely disables XML-RPC on WordPress 3.5+.
Version: 1.0
Author: Your Name
*/
// Disable XML-RPC
add_filter('xmlrpc_enabled', '__return_false');
// Remove the RSD link from the header
remove_action('wp_head', 'rsd_link');
// Block XML-RPC requests
add_filter('xmlrpc_methods', function() {
return [];
});
3. Activate the plugin from the WordPress admin dashboard.
Additional Step: Block XML-RPC Requests via .htaccess (Optional)
To add an extra layer of protection by blocking XML-RPC requests at the server level, you can modify your .htaccess file:
- Open your .htaccess file (located in the root directory of your WordPress installation).
- Add the following code to block all XML-RPC requests:
# Block WordPress xmlrpc.php requests
order deny,allow
deny from all
By following these steps, you will completely disable XML-RPC on your WordPress site running version 3.5 or later, enhancing your site’s security by preventing potential XML-RPC-based attacks.