{"id":120965,"date":"2020-10-01T07:53:30","date_gmt":"2020-10-01T07:53:30","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/disable-xml-rpc-php\/"},"modified":"2026-02-04T06:54:59","modified_gmt":"2026-02-04T06:54:59","slug":"disable-xml-rpc-api","status":"publish","type":"plugin","link":"https:\/\/tt.wordpress.org\/plugins\/disable-xml-rpc-api\/","author":17915221,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_crdt_document":"","version":"2.1.7","stable_tag":"trunk","tested":"6.9.4","requires":"5.0","requires_php":"","requires_plugins":null,"header_name":"Disable XML-RPC-API","header_author":"Neatma","header_description":"Disable access to xmlrcp.php file using .htaccess for security reasons.","assets_banners_color":"ada3b5","last_updated":"2026-02-04 06:54:59","external_support_url":"","external_repository_url":"","donate_link":"http:\/\/neatma.com\/wpsg-plugin","header_plugin_uri":"https:\/\/neatma.com\/dsxmlrpc-plugin\/","header_author_uri":"https:\/\/neatma.com\/","rating":4.1,"author_block_rating":0,"active_installs":100000,"downloads":796812,"num_ratings":42,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"1.0.0":{"tag":"1.0.0","author":"aminnz","date":"2020-12-15 09:04:49"},"1.0.1":{"tag":"1.0.1","author":"aminnz","date":"2020-12-15 09:07:34"},"1.0.5":{"tag":"1.0.5","author":"aminnz","date":"2021-01-12 08:28:36"},"1.0.6":{"tag":"1.0.6","author":"aminnz","date":"2021-01-12 08:32:18"},"1.0.7":{"tag":"1.0.7","author":"aminnz","date":"2021-01-13 17:46:52"},"1.0.8":{"tag":"1.0.8","author":"aminnz","date":"2021-01-25 08:25:18"},"1.0.9":{"tag":"1.0.9","author":"aminnz","date":"2021-04-01 18:42:01"},"2.0.0":{"tag":"2.0.0","author":"aminnz","date":"2021-04-10 17:07:28"},"2.1.0":{"tag":"2.1.0","author":"aminnz","date":"2021-05-14 06:16:57"},"2.1.1":{"tag":"2.1.1","author":"aminnz","date":"2021-07-22 09:43:02"},"2.1.2":{"tag":"2.1.2","author":"aminnz","date":"2022-01-30 18:31:19"},"2.1.3":{"tag":"2.1.3","author":"aminnz","date":"2022-06-04 09:32:04"},"2.1.4":{"tag":"2.1.4","author":"aminnz","date":"2022-08-21 06:19:40"},"2.1.4.1":{"tag":"2.1.4.1","author":"aminnz","date":"2022-08-22 06:42:41"},"2.1.4.3":{"tag":"2.1.4.3","author":"aminnz","date":"2022-08-22 07:49:49"},"2.1.4.4":{"tag":"2.1.4.4","author":"aminnz","date":"2022-09-17 06:15:49"},"2.1.4.5":{"tag":"2.1.4.5","author":"aminnz","date":"2022-11-06 05:56:21"},"2.1.4.7":{"tag":"2.1.4.7","author":"aminnz","date":"2023-02-12 07:33:26"},"2.1.4.8":{"tag":"2.1.4.8","author":"aminnz","date":"2023-08-13 06:56:02"},"2.1.4.9":{"tag":"2.1.4.9","author":"aminnz","date":"2023-08-13 07:27:13"},"2.1.5":{"tag":"2.1.5","author":"aminnz","date":"2024-04-20 07:45:36"},"2.1.6":{"tag":"2.1.6","author":"aminnz","date":"2024-11-28 07:15:35"},"2.1.7":{"tag":"2.1.7","author":"aminnz","date":"2026-02-04 06:54:59"}},"upgrade_notice":[],"ratings":{"1":7,"2":2,"3":1,"4":0,"5":32},"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":2391445,"resolution":"128x128","location":"assets","locale":""},"icon-256x256.png":{"filename":"icon-256x256.png","revision":2391445,"resolution":"256x256","location":"assets","locale":""}},"assets_banners":{"banner-1544x500.jpg":{"filename":"banner-1544x500.jpg","revision":2391445,"resolution":"1544x500","location":"assets","locale":""},"banner-772x250.jpg":{"filename":"banner-772x250.jpg","revision":2391445,"resolution":"772x250","location":"assets","locale":""}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.0.0","1.0.1","1.0.5","1.0.6","1.0.7","1.0.8","1.0.9","2.0.0","2.1.0","2.1.1","2.1.2","2.1.3","2.1.4","2.1.4.1","2.1.4.3","2.1.4.4","2.1.4.5","2.1.4.7","2.1.4.8","2.1.4.9","2.1.5","2.1.6","2.1.7"],"block_files":[],"assets_screenshots":{"screenshot-1.png":{"filename":"screenshot-1.png","revision":2439629,"resolution":"1","location":"assets","locale":""},"screenshot-2.jpg":{"filename":"screenshot-2.jpg","revision":2524261,"resolution":"2","location":"assets","locale":""}},"screenshots":[],"jetpack_post_was_ever_published":false},"plugin_section":[],"plugin_tags":[42034,42035,3026,230090,14731],"plugin_category":[44],"plugin_contributors":[194089,195459],"plugin_business_model":[],"class_list":["post-120965","plugin","type-plugin","status-publish","hentry","plugin_tags-disable-xml-rpc","plugin_tags-disable-xmlrpc","plugin_tags-pingback","plugin_tags-stop-brute-force-attacks","plugin_tags-xmlrpc","plugin_category-discussion-and-community","plugin_contributors-aminnz","plugin_contributors-neatmarketing","plugin_committers-aminnz"],"banners":{"banner":"https:\/\/ps.w.org\/disable-xml-rpc-api\/assets\/banner-772x250.jpg?rev=2391445","banner_2x":"https:\/\/ps.w.org\/disable-xml-rpc-api\/assets\/banner-1544x500.jpg?rev=2391445","banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/disable-xml-rpc-api\/assets\/icon-128x128.png?rev=2391445","icon_2x":"https:\/\/ps.w.org\/disable-xml-rpc-api\/assets\/icon-256x256.png?rev=2391445","generated":false},"screenshots":[{"src":"https:\/\/ps.w.org\/disable-xml-rpc-api\/assets\/screenshot-1.png?rev=2439629","caption":""},{"src":"https:\/\/ps.w.org\/disable-xml-rpc-api\/assets\/screenshot-2.jpg?rev=2524261","caption":""}],"raw_content":"<!--section=description-->\n<p>Protect your website from xmlrpc brute-force attacks,DOS and DDOS attacks, this plugin disables the XML-RPC and trackbacks-pingbacks on your WordPress website.<\/p>\n\n<p><strong>PLUGIN FEATURES<\/strong>\n(These are options you can enable or disable each one)<\/p>\n\n<ul>\n<li>Disable access to xmlrpc.php file using .httacess file <\/li>\n<li>Automatically change htaccess file permission to read-only (0444)<\/li>\n<li>Disable X-pingback to minimize CPU usage <\/li>\n<li>Disable selected methods from XML-RPC<\/li>\n<li>Remove pingback-ping link from header<\/li>\n<li>Disable trackbacks and pingbacks to avoid spammers and hackers<\/li>\n<li>Rename XML-RPC slug to whatever you want<\/li>\n<li>Black list IPs for XML-RPC<\/li>\n<li>White list IPs for XML-RPC<\/li>\n<li>Some options to speed-up your wordpress website<\/li>\n<li>Disable JSON REST API<\/li>\n<li>Hide WordPress Version<\/li>\n<li>Disable built-in WordPress file editor<\/li>\n<li>Disable wlw manifest<\/li>\n<li>And some other options<\/li>\n<\/ul>\n\n<p><strong>What is XMLRPC<\/strong><\/p>\n\n<p>XML-RPC, or XML Remote Procedure Call is a protocol which uses XML to encode its calls and HTTP as a transport mechanism.\nBeginning in WordPress 3.5, XML-RPC is enabled by default. Additionally, the option to disable\/enable XML-RPC was removed. For various reasons, site owners may wish to disable this functionality. This plugin provides an easy way to do so.<\/p>\n\n<p><strong>Why you should disable XML-RPC<\/strong>\n<em>Xmlrpc has two main weaknesses<\/em><\/p>\n\n<ul>\n<li>Brute force attacks:\nAttackers try to login to WordPress using xmlrpc.php with as many username\/password combinations as they can enter. A method within xmlrpc.php allows the attacker to use a single command (system.multicall) to guess hundreds of passwords. Daniel Cid at Sucuri described it well in October 2015: \u201cWith only 3 or 4 HTTP requests, the attackers could try thousands of passwords, bypassing security tools that are designed to look and block brute force attempts.\u201d<\/li>\n<li>Denial of Service Attacks via Pingback:\nBack in 2013, attackers sent Pingback requests through xmlrpc.php of approximately 2500 WordPress sites to \u201cherd (these sites) into a voluntary botnet,\u201d according to Gur Schatz at Incapsula. \u201cThis gives any attacker a virtually limitless set of IP addresses to Distribute a Denial of Service attack across a network of over 100 million WordPress sites, without having to compromise them.\u201d<\/li>\n<\/ul>\n\n<!--section=installation-->\n<ol>\n<li>Upload the disable-xml-rpc directory to the <code>\/wp-content\/plugins\/<\/code> directory in your WordPress installation<\/li>\n<li>Activate the plugin through the 'Plugins' menu in WordPress<\/li>\n<li>XML-RPC-API is now disabled!<\/li>\n<\/ol>\n\n<p>To re-enable XML-RPC, just deactivate the plugin through the 'Plugins' menu.<\/p>\n\n<!--section=faq-->\n<dl>\n<dt id=\"is%20there%20an%20admin%20interface%20for%20this%20plugin%3F\"><h3>Is there an admin interface for this plugin?<\/h3><\/dt>\n<dd><p>Yes, You can find the \"XML-RPC Security\" in your admin menu.<\/p><\/dd>\n<dt id=\"how%20do%20i%20know%20if%20the%20plugin%20is%20working%3F\"><h3>How do I know if the plugin is working?<\/h3><\/dt>\n<dd><p>There are three easy methods for checking if XML-RPC is off:\n1. Easiest way is going to this url: http:\/\/yourdomain\/xmlrpc.php enter your domain name instead of 'yourdomain' if you see \"Access forbidden!\" or \"403 error\" it's working.\n2. First, try using an XML-RPC client, like the official WordPress mobile apps. The WordPress mobile app should tell you that \"XML-RPC services are disabled on this site\" if the plugin is activated.\n3. Or you can try the XML-RPC Validator, written by Danilo Ercoli of the Automattic Mobile Team - the tool is available at <a href=\"http:\/\/xmlrpc.eritreo.it\/\">http:\/\/xmlrpc.eritreo.it\/<\/a> with a blog post about it at <a href=\"http:\/\/daniloercoli.com\/2012\/05\/15\/wordpress-xml-rpc-endpoint-validator\/\">http:\/\/daniloercoli.com\/2012\/05\/15\/wordpress-xml-rpc-endpoint-validator\/<\/a>. Keep in mind that you want the validator to fail and tell you that XML-RPC services are disabled.<\/p><\/dd>\n<dt id=\"something%20doesn%27t%20seem%20to%20be%20working%20correctly\"><h3>Something doesn't seem to be working correctly<\/h3><\/dt>\n<dd><p>If the plugin is activated, but XML-RPC appears to still be working ... OR ... the plugin is deactivated, but XML-RPC is not working, then it's possible that another plugin or theme function is affecting the plugin functions.<\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>1.0.0<\/h4>\n\n<ul>\n<li>Initial release<\/li>\n<\/ul>\n\n<h4>1.0.1<\/h4>\n\n<ul>\n<li>Fix bugs<\/li>\n<\/ul>\n\n<h4>1.0.5<\/h4>\n\n<ul>\n<li>Remove pingback link tag in header<\/li>\n<li>Add ability to fix htaccess file permission<\/li>\n<\/ul>\n\n<h4>1.0.6<\/h4>\n\n<ul>\n<li>Fix warnings for htaccess permission<\/li>\n<\/ul>\n\n<h4>1.0.7<\/h4>\n\n<ul>\n<li>Fix blank page when using W3 Total Cache and some other cache plugins<\/li>\n<\/ul>\n\n<h4>1.0.8<\/h4>\n\n<ul>\n<li>Fix code conflict with Autoptimize plugin<\/li>\n<\/ul>\n\n<h4>1.0.9<\/h4>\n\n<ul>\n<li>Wordpress 5.7 compatible<\/li>\n<li>Fix some issues<\/li>\n<\/ul>\n\n<h4>2.0.0<\/h4>\n\n<ul>\n<li>Fix code conflict with some other plugin<\/li>\n<li>Fix hiding data in WooCommerce Product Tabs<\/li>\n<\/ul>\n\n<h4>2.1.0<\/h4>\n\n<p>*Major Update\n*Add \"XML-RPC Security\"settings menu\n*Add some new features\n*Fix plugin deactivation bug<\/p>\n\n<h4>2.1.1<\/h4>\n\n<ul>\n<li>Add new feature fix hotlinks<\/li>\n<li>Change notif timing<\/li>\n<\/ul>\n\n<h4>2.1.2<\/h4>\n\n<ul>\n<li>Add an option to disable auto change htaccess permission<\/li>\n<li>Fix \"DISALLOW_FILE_EDIT\" warning<\/li>\n<li>Wordpress 5.8 compatibility<\/li>\n<\/ul>\n\n<h4>2.1.3<\/h4>\n\n<ul>\n<li>Fix compatibility issue with WordPress 5.9<\/li>\n<li>Fix htaccess cleaning function <\/li>\n<\/ul>\n\n<h4>2.1.4<\/h4>\n\n<ul>\n<li>Fix some minor bugs<\/li>\n<li>Refactor the entire codes <\/li>\n<li>Add a fallback function for situations htaccess is not working<\/li>\n<\/ul>\n\n<h4>2.1.4.2<\/h4>\n\n<ul>\n<li>Hotfix for error on update <\/li>\n<\/ul>\n\n<h4>2.1.4.3<\/h4>\n\n<ul>\n<li>Hotfix for error on removing v metadata <\/li>\n<\/ul>\n\n<h4>2.1.4.4<\/h4>\n\n<ul>\n<li>Fix warning undefined variable $htaccess_code when disable hotlink fix is off<\/li>\n<li>Fix warning Undefined array key \u201cplugins\u201d on PHP 8+<\/li>\n<\/ul>\n\n<h4>2.1.4.5<\/h4>\n\n<ul>\n<li>Fix removing vpingback header issue in the last major update<\/li>\n<li>Update tested up to wp 6.1<\/li>\n<\/ul>\n\n<h4>2.1.4.7<\/h4>\n\n<ul>\n<li>Fix issues on vuninstallation hook<\/li>\n<li>Minor improvements on admin review notification <\/li>\n<\/ul>\n\n<h4>2.1.4.8<\/h4>\n\n<ul>\n<li>Fix bug v wp reset API option <\/li>\n<\/ul>\n\n<h4>2.1.4.9<\/h4>\n\n<ul>\n<li>Update Jetpack default whitelist IPs<\/li>\n<li>Fix bug with update actions function<\/li>\n<li>Keep enabling WP RSS in default settings<\/li>\n<li>Test with WordPress 6.3 and update tested up to<\/li>\n<\/ul>\n\n<h4>2.1.5<\/h4>\n\n<ul>\n<li>Hotfix for .htaccess error and disabling the admin notices<\/li>\n<\/ul>\n\n<h4>2.1.6<\/h4>\n\n<ul>\n<li>Clean Up the plugin codes (remove unnecessary codes)<\/li>\n<li>Add VaultPress IPs to JetPack allowlist<\/li>\n<li>Test compatibility with WordPress 6.6.1<\/li>\n<\/ul>\n\n<h4>2.1.7<\/h4>\n\n<ul>\n<li>Improve disable xmlrpc fallback method <\/li>\n<li>Test compatibility with WordPress 6.7.1<\/li>\n<\/ul>","raw_excerpt":"A simple and lightweight plugin to disable XML-RPC API, X-Pingback and pingback-ping in WordPress 3.5+ for a faster and more secure website","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/tt.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/120965","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/tt.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/tt.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/tt.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=120965"}],"author":[{"embeddable":true,"href":"https:\/\/tt.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/aminnz"}],"wp:attachment":[{"href":"https:\/\/tt.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=120965"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/tt.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=120965"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/tt.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=120965"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/tt.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=120965"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/tt.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=120965"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/tt.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=120965"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}