XML-RPC is a legacy remote procedure call protocol that WordPress has supported since version 3.5, originally designed to allow third-party desktop blogging clients and mobile apps to publish posts. Today, almost no legitimate WordPress usage requires XML-RPC — the REST API (introduced in WordPress 4.7) covers all the same use cases with better authentication and a modern JSON interface. Yet XML-RPC remains enabled by default, and it is a consistent target for brute-force attacks because its system.multicall method lets an attacker test hundreds of username/password combinations in a single HTTP request, bypassing per-request rate limiting. It is also used to amplify DDoS attacks via the WordPress pingback mechanism. The xmlrpc.php file should be disabled on any WordPress site that does not actively use a desktop blogging client, the Jetpack plugin, or the WordPress mobile app (which has since switched to the REST API). Disabling it at the .htaccess level (Apache) or nginx.conf level is the most efficient approach — the request is rejected before PHP even loads. The WordPress filter approach (xmlrpc_enabled) is a fallback for managed hosting where you cannot edit server config files. Combine this with the HTTP security headers guide, the wp-config.php protection guide, and brute-force login protection for a complete security hardening checklist.
Problem: WordPress’s xmlrpc.php endpoint is being targeted by brute-force and DDoS amplification attacks and you need to disable it completely.
Solution: Choose the method that matches your hosting environment:
# ── Method 1: Block in .htaccess (Apache) — recommended ──────────────────────
<Files "xmlrpc.php">
Order Deny,Allow
Deny from all
</Files>
# ── Method 2: Redirect xmlrpc.php to 403 (alternative Apache) ────────────────
RedirectMatch 403 /xmlrpc\.php# ── Method 3: Block in nginx.conf ────────────────────────────────────────────
location = /xmlrpc.php {
deny all;
return 403;
}// Method 4: WordPress filter (for managed hosting without server config access)
add_filter( 'xmlrpc_enabled', '__return_false' );
// Method 5: Remove all XML-RPC methods (more thorough via PHP)
add_filter( 'xmlrpc_methods', function( array $methods ): array {
return [];
} );NOTE: If you use the Jetpack plugin, it requires XML-RPC to communicate with WordPress.com servers. Disabling XML-RPC will break Jetpack completely. Jetpack added REST API support in newer versions — check whether your Jetpack version can work without XML-RPC before disabling. Similarly, the official WordPress mobile app on older versions used XML-RPC; on current versions (5.0+) it uses the REST API. After disabling, verify with: curl -s -o /dev/null -w "%{http_code}" https://yourdomain.com/xmlrpc.php — the expected response is 403.