Fiverr Forum

Should YOU disable XML-RPC in WordPress?


XML-RPC is an xml based protocol that is used to perform actions on a remote server. XML-RPC is an abbreviation for eXtensible Markup Language and Remote Procedure Call. It is a remote procedures calling protocol. It uses XML language to converse and HTTP as its transport mechanism.

XML-RPC is the protocol of choice for a variety of reasons by a variety of frameworks and servers. Inside the WordPress framework, it provides many different functionalities. It is used to get information about posts, pages, taxonomy, media, comments, users and so on… It is also used to publish new posts, retrieve comments, receive trackbacks and pingbacks, among other things! It pretty much allows you perform all blog related activities, from a remote point of access, without using the user interface.

The XML-RPC protocol has been enabled by default in WordPress since version 3.5 and it no longer gives you the option to turn it off from within the user interface, but the XML-RPC feature won’t be required if you are not using any of the functionalities mentioned in the previous paragraph. It is NEVER a good idea to keep an unused interface open for the public when it offers a potential security risk. Despite, the WordPress implementation of XML-RPC is pretty good nowadays and relatively free of risks…

If YOU want to leave the xmlrpc.php file intact but at the same time prevent access to it, you may paste the following code into your Apache Server root’s .htaccess file:

<IfModule mod_alias.c>
RedirectMatch 403 /(.*)/xmlrpc.php$

Perhaps the safest way to eliminate potential security vulnerabilities is to simply remove the XML-RPC script… but we do not advise you to do it…


What does the XMLRPC.php file really do? Do I really need it??

When we see anything with the file extension .php, we are dealing with a file that controls the Server somehow, telling the Server to execute some specific tasks… and XML-RPC on WordPress is actually an API (application program interface) and it gives developers who make mobile apps, desktop apps and other services the ability to “talk” or interact with your WordPress website. The XML-RPC API that WordPress provides to everybody gives developers a way of writing applications for YOUR own use. Those applications can do many of the things that you are able do when you are logged into a WordPress website, including:

Publish a post,
Edit a post,
Delete a post.
Upload a new file (e.g. an image, a plugin).
Get a list of comments,
Edit comments,
Delete comments.

XMLRPC.php allows the following types of activity:

Posting directly to your eBlog using TextMate or BlogJet 3 and other weblog clients,
Posting directly to your eBlog using Thunderbird and other email apps,
Receiving pingbacks and trackbacks to your website from other websites.

Not everybody uses remote posting functionalities available for them in WordPress, but we can assure you that many blogs are using the protocol for the pingback and trackback functionality. Disabling XML-RPC comes with a cost: YOU are disabling a major API in WordPress and you will get an avalanche of 404 Errors.