What is xmlrpc.php in WordPress and should you disable it?

xmlrpc.php is a WordPress file that historically allowed remote applications to communicate with a site. It supported features such as mobile publishing, pingbacks and integrations before the REST API became common.

Why xmlrpc.php can be risky

Attackers often target XML-RPC for brute-force login attempts and abuse of pingback functionality. On sites that do not need it, disabling access can reduce attack surface.

Should you disable it?

If you do not use mobile apps, Jetpack features or external tools that require XML-RPC, disabling it is usually safe. If you rely on Jetpack or remote publishing, test carefully before blocking it.

How to approach it

Use a security plugin, web server rule or hosting-level protection to block XML-RPC requests. Monitor logs afterward to confirm legitimate services are not affected.

Modern alternative

For custom integrations, prefer the WordPress REST API with proper authentication and permissions.

Leave a Reply