Disabling XML-RPC

Since WordPress 3.5 the XML-RPC interface is activated by default. In the past, it was easy to deactivate it, today it is only possible to do so in a roundabout way. But only a few users really need it, which is why the activated interface is no more than a risk in the end. Disabling unused features also brings back performance, but this is more about general security, which is not necessarily increased with enabled XML-RPC. XML-RPC is used for remote posting via Microsoft Word, for pingbacks, for the iOS and Android apps, for things that not necessarily every user uses or even needs. And as I always preach, everything that is not used should be disabled, switched off, completely removed as soon as possible. This is also true for XML-RPC. Get rid of it. Unfortunately, this is not as easy as I thought, so I wrote here an extensive guide to deactivate XML-RPC in WordPress.

Disable XML-RPC in WordPress

In general there is a simple snippet to disable XML-RPC in WordPress. This sounds simple, but it's only the first step, because actually three different snippets are necessary to get rid of XML-RPC in WordPress completely.

Copy the following into the Functions.php your themes:

add_filter( 'xmlrpc_enabled', '__return_false' );

The snippet above now disables XML-RPC in WordPress, but the problem is still that it appears in the HTTP header. You can easily check this with a tool like RedBot, which presents you all entries in the HTTP header of your website. In the ideal case your header should look like this:


If you have unnecessary entries in the HTTP-Header, you should check where they actually come from and if you can remove them. There is also a lot of garbage in the WordPress header, but how you remove it, I had specified once before. Back to the subject.

Remove XML-RPC from the HTTP header

Now if your HTTP header, and it probably will, contains an entry with X-Pingback and xmlrpc.php then you still have the same problem. For hackers, spammers, attackers, this is a clear sign, so remove the entry from the header.

Enter the following in the Functions.php of your theme:

add_filter( 'wp_headers', 'FastWP_remove_x_pingback' );
 function FastWP_remove_x_pingback( $headers )
 unset( $headers['X-Pingback'] );
 return $headers;

With this snippet, the direct URL to xmlrpc.php is removed from the header. Bots, hackers, attackers, spammers - they all now no longer automatically receive information that they should not receive at all. If they still manage to get the xmlrpc.php WordPress immediately blocks access.

Improve performance through blocking

In the end, the performance can still be improved. As long as WordPress is based on the xmlrpc.php can access, hidden calls will continue to appear that do not exactly improve performance. So to improve the overall performance a little bit with a last step, you should use the xmlrpc.php still via .htaccess block. Here's how it works. Another Tips for the .htaccess can be found here.

Add the following to the .htaccess of your WordPress installation:

 Order Deny,Allow
 Deny from all

Security and performance

In the end, all this is good for safety and performance. If you don't need something in WordPress, you should always disable it if possible, just to get a little bit more performance out of it. Security also plays an important role with the XML-RPC interface, because bots and hackers automatically access it or try to access it again and again. With the snippets and the manual above, you can help here.

So XML-RPC is completely disabled in WordPress, which in the end brings more security and a little bit more performance. You won't feel the latter, but it's also worth it to relieve your own server a little bit and to fend off or deter the attackers in advance. I hope I could help you.

About Christian

My name is Christian and I am co-founder of the platform fastWP. Here in the magazine I am responsible for the more "technical" topics but I like to write about SEO, which has been my passion for over 10 years now.

7 thoughts on “XML-RPC komplett deaktivieren”

    1. It doesn't work for me either. Since the author does not give any feedback here either, I assume that he simply copied it stupidly from the internet.

        1. The author is basically not a free source for "free" support. Unfortunately, this is sometimes taken for granted in blogs, but I think it makes sense to mention this maybe at the end of every article. If we offer individual support on every request, I will have an additional "half-day job"...
          And to your 2nd statement - our article was published almost 2 years earlier and NO, it was not written off somewhere.
          And in order to give a little "food for thought" here - precisely because the article is already from 2013 - it could be possible, but only really possible, that the path proposed here is no longer up to date and no longer works.

          1. Jens Roggemann

            Completely new food for thought:
            If one of my posts was as obviously (?) out of date as I know it is, I would try to bring it up to date. ... I would at least feel better as an "expert".

  1. I have installed a WooCommerce plugin but disabled it. Was included in the theme. The link is also displayed. What am I doing wrong? Thank you very much and best regards

Leave a Comment

Your email address will not be published. Required fields are marked *