Use the code PERFMATTERS for 10% off!

How to disable XML-RPC in WordPress

XML-RPC was added in WordPress 3.5 and allows for remote connections, and unless you are using your mobile device to post to WordPress it does more bad than good. In fact, it can open your site up to a bunch of security risks. There are a few plugins that utilize this such as JetPack, but we don’t recommend using JetPack for performance reasons.

Disable XML-RPC

Follow the steps below to disable XML-RPC. Note: If you’re a Kinsta client, XML-RPC is already disabled by default.

Step 1

Click into the Perfmatters plugin settings.

Perfmatters plugin settings
Perfmatters plugin settings

Step 2

Under the “Options” tab and “General” sub-navigation menu, toggle on “Disable XML-RPC.”

Disable XML-RPC with Perfmatters plugin
Disable XML-RPC with Perfmatters plugin

Step 3

Scroll down and click “Save Changes.”

Verify XML-RPC is disabled

You can verify that XML-RPC is disabled by using this free XML-RPC validation tool. If you get an error such as the one below then you are good to go.

check if xml-rpc is enabled
Check if XML-RPC is enabled

This also removes the XML-RPC HTTP response header associated with it.

XML-RPC HTTP response header
XML-RPC HTTP response header

Was this article helpful?

Related Articles