WordPress Security Hardening - Disable XML-RPC through .htaccess (easy)

What is XML-RPC in WordPress?

XML-RPC is a built-in WordPress API that’s been active since version 3.5, released in 2012. It lets developers use XML along with HTTPS to connect with and control WordPress site remotely with outside tools. You need XML-RPC turned on if you want to post content or manage your site using a mobile app, or if you want to link up with automation tools like Uncanny Automator or Zapier.

If you don’t use mobile apps for your website, majority cyber security specialists suggest turning off XML-RPC. Doing this helps block an entry point that hackers might use to attack your site.

Here’s how you can turn off XML-RPC in WordPress. The .htaccess method works well since it doesn’t use many system resources, but some other options may be easier if you’re new to editing WordPress settings.

Method 1: Editing .htaccess file directly

Only try this if you’re comfortable editing your .htaccess file. You’ll block unwanted XML-RPC requests before they reach WordPress, which keeps your site running smoothly. Add the provided code using FTP, your host’s file manager, or with the LiteSpeec Cache (LSCache) plugin editor.

Simply add this piece of code to end of your .htaccess file (located in root of your sites files in folder public_html)

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
 deny from all
</Files>

Method 2: Turn Off WordPress XML-RPC With a Plugin

Don’t want to or can’t edit code? Just install and activate the Disable XML-RPC-API plugin. It shuts off XML-RPC right away. You can adjust its settings or whitelist certain IPs under XML-RPC Security in your dashboard.

Testing if XML RPC is disabled

To find out if XML-RPC is off on your WordPress site, start by using a simple browser test.

Open a browser window and type your site’s address.

Then add `/xmlrpc.php` at the end (www.mydomain.com/xmlrpc.php). Press Enter.

If you see a message like “XML-RPC server accepts POST requests only,” XML-RPC is still active.

If the page shows a 403, 404 or any Forbidden error, it is turned off. You can also use online tools like XML-RPC Validator or site security checkers.

To confirm XML-RPC is off, visit yoursite.com/xmlrpc.php in your browser. If it’s disabled, you’ll see a “Forbidden” message. Check out our other guides for adding JavaScript in WordPress or for top WordPress development tools.

What is XML-RPC in WordPress?

Method 1: Editing .htaccess file directly

Method 2: Turn Off WordPress XML-RPC With a Plugin

Testing if XML RPC is disabled

Leave a Comment

Leave a Reply Cancel reply

WordPress 6.9 Review: Streamlined Collaboration and Smarter Design Tools

W3 Total Cache WordPress Plugin Critical Vulnerability Exposes Sites to Command Injection Attacks

Critical Vulnerability in Post SMTP WordPress Plugin Enables Admin Account Hijacking

Automattic files counterclaims against WP Engine in WordPress lawsuit, alleging trademark misuse

Why Everyday Web Hosting Security Isn’t Enough to Protect WordPress Sites from Real Threats

WordPress plugin LWS Cleaner 2.4.13 – vulnerable to arbitrary file deletion

Critical Security Flaw in Tutor LMS Pro WordPress Plugin

Major Security Flaw in AI Engine WordPress Plugin Puts 100,000 Sites at Risk

WordPress Yoast SEO Plugin Adds Hidden AI HTML Attributes – vulnerability in WordPress

WordPress 6.8.2 – Ends Security Support for Older Versions, Enhances Core and Block Editor

Hosting Control Panel Features – OLSPanel on WP in EU

How to Register for Free WordPress Hosting?

WP in EU Servers Location / Datacenter

How is free WordPress hosting possible?

Generative Engine Optimization (GEO): Strategies to Dominate AI-Powered Search in 2026

7 Essential Success Criteria for Organic Search in 2026: Moving Beyond Traditional Rankings

Image Pipeline for 2025: AVIF, Lazy Load, CDN, and srcset for a Faster WordPress

WordPress and GDPR: The Complete Guide to Making Your WordPress Site GDPR Compliant

The Complete Beginner’s Guide to Generative Engine Optimization for WordPress