Wordpress - Best way to eliminate xmlrpc.php?

Since WordPress 3.5 this option (XML-RPC) is enabled by default, and the ability to turn it off from WordPress dashboard is gone.

Add this code snippet for use in functions.php:

// Disable use XML-RPC
add_filter( 'xmlrpc_enabled', '__return_false' );

// Disable X-Pingback to header
add_filter( 'wp_headers', 'disable_x_pingback' );
function disable_x_pingback( $headers ) {
    unset( $headers['X-Pingback'] );

return $headers;
}

Although it does what it says, it can get intensive when a site is under attack by hitting it.
You may better off using following code snippet in your .htaccess file.

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order allow,deny
deny from all
</Files>

Or use this to disable access to the xmlrpc.php file from NGINX server block.

# nginx block xmlrpc.php requests
location /xmlrpc.php {
    deny all;
}

Be aware that disabling also can have impact on logins through mobile. If I am correct WordPress mobile app does need this.
See Codex for more information about the use of XML-RPC.

  • Please make always a backup of the file(s) before edit/add.


Edit/Update

@Prosti, -You are absolutely correct- about the options which RESTful API will offer for WordPress!

I forgot to mention this. It should already have been integrated into core (WordPress version 4.1) which was not possible at that time. But as it seems, will be core in WordPress 4.5 .

The alternative for the moment is this plugin: WordPress REST API (Version 2)
You can use it till Restful API is also core for WordPress.
Target date for release of WordPress 4.5. (April 12, 2016 (+3w))

For those who are interested in RESTful, on Stackoverflow is a very nice community wiki.


When you have the ability to block it via your web server's configuration, @Charles' suggestions are good.

If you can only disable it using php, the xmlrpc_enabled filter is not the right way. Like documented here: https://developer.wordpress.org/reference/hooks/xmlrpc_enabled/ it only disables xml rpc methods that require authentication.

Instead use the xmlrpc_methods filter to disable all methods:

<?php
// Disable all xml-rpc endpoints
add_filter('xmlrpc_methods', function () {
    return [];
}, PHP_INT_MAX);

You can test if it's working by sending a POST request to xmlrpc.php with the folling content:

<methodCall>
    <methodName>system.listMethods</methodName>
</methodCall>

If the filter is working, there should only be 3 methods left:

<?xml version="1.0" encoding="UTF-8"?>
<methodResponse>
    <params>
        <param>
            <value>
                <array>
                    <data>
                        <value>
                            <string>system.multicall</string>
                        </value>
                        <value>
                            <string>system.listMethods</string>
                        </value>
                        <value>
                            <string>system.getCapabilities</string>
                        </value>
                    </data>
                </array>
            </value>
        </param>
    </params>
</methodResponse>

you can quickly test it with curl:

curl -X POST \
  -H 'Cache-Control: no-cache' \
  -H 'Content-Type: application/xml' \
  -d '<methodCall><methodName>system.listMethods</methodName></methodCall>' \
  https://your-wordpress-site.com/xmlrpc.php

We are using the htaccess file to protect it from hackers.

# BEGIN protect xmlrpc.php
<files xmlrpc.php>
order allow,deny
deny from all
</files>
# END protect xmlrpc.php