Block XML-RPC protocol in WordPress

If you’re not using XML-RPC, you should disable it from your site to prevent bots/hackers from hacking your site or slowing down your site with repeat XML-RPC attacks. Usually, the biggest problem with XML-RPC attacks is not that they get in but that they bog down your server with so many blocked requests.

  • XML-RPC is used to commonly used to connect to your site and blog from an a mobile app or remote publishing service. If you never publish to your site from anywhere but directly in WordPress admin itself, you are fine to disable it!
  • You can easily block all xmlrpc.php requests using .htaccess to prevent them from even getting passed into WordPress. Don’t bother using a security plugin for this, they’re either slower to process the block or they essentially do the same by adding this same bit of code to your htaccess.

Simply paste the following code in your .htaccess file (preferably at the very top):

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>order deny,allow
deny from all
allow from

If that above code doesn’t work and/or you’re on OpenLiteSpeed, you can try:

RewriteRule xmlpc.php$ - [F,L]

DEDICATED VPS CLIENTS – apply the code below to enforce it server-wide:

  • WHM/cPanel – go to Apache Configuration from WHM, then Include Editor, then pick Pre Main include and All Versions.
  • Plesk – edit /usr/local/psa/admin/conf/templates/custom/domain/domainVirtualHost.php, then run /usr/local/psa/admin/bin/httpdmng --reconfigure-all to regenerate LS conf and restart LS afterwards.
  • CyberPanel – unfortunately no global apply available.

RewriteRule xmlpc.php$ - [F,L – make that code is placed between <IfModule Litespeed> and </IfModule>

Reference link to learn more about XML-RPC:

Looking for ultra-fast WordPress hosting?

Learn More About JVPS

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *