Should You Disable XML-RPC on WordPress?

A few questions are arising about disabling XML-RPC on WordPress. To allay any confusion, it’s good to elucidate exactly what XML-RPC does and whether you should consider disabling it.

XML-RPC on WordPress is actually an API or Application Program Interface – It gives developers who make mobile apps, desktop apps and other services the ability to talk to your WordPress site.

The XML-RPC API that WordPress provides gives developers a way to write applications (for you) that can do many of the things that you can do when logged into WordPress via the web interface.

These ‘things you can do in WordPress’ include:

• Publish a post
• Edit a post
• Delete a post.
• Upload a new file (e.g. an image for a post)
• Get a list of comments
• Edit comments

For a full list of the WordPress API functions available to developers via XML-RPC, take a look at the XML-RPC page on the WordPress codex. If you disable the XML-RPC service on WordPress, you lose the ability for any application to use this API to talk to WordPress.

Lets use an example: You have an app on your iPhone that lets you moderate WordPress comments. Someone advises you to disable XML-RPC. Your iPhone app suddenly stops working because it can no longer communicate with your website using the API you just disabled.

To us, disabling XML-RPC comes with a cost. You are disabling a major API in WordPress. We briefly provided this capability, but removed the feature because WordPress’s own API abuse prevention has improved. Furthermore, providing the ability to disable XML-RPC caused confusion among users when their applications broke because they could not access the API.

Jetpack for WordPress is one of the most popular plugins for WordPress and relies heavily on XML-RPC to provide its features. It is developed by Automattic, makers of WordPress. If you visit the “Known Issues” page for Jetpack, you’ll notice they discuss how certain security plugins can impact Jetpack features if you use them to disable XML-RPC.

The following two kinds of attacks on XML-RPC have received press coverage during the past 2 years.

• DDoS via XML-RPC pingbacks. This is actually not a very effective form of DDoS and anti-spam plugins like Akismet have gotten good at spotting this kind of abuse.
• Brute force attacks via XML-RPC. These are completely ineffective if you’re using Wordfence Security Plugin for example because WordFence (or similar plugin) simply blocks the attacker after they reach the login attempt limit.

If you still want to disable XML-RPC, there are several security plugins to choose from in the official WordPress repository. You will lose any XML-RPC API functionality that your applications rely on. We generally don’t disable XML-RPC on our own sites, only when taking extreme security measures.