XML-RPC was added in WordPress 3.5 and allows for remote connections, and unless you are using your mobile device to post to WordPress it does more bad than good. In fact, it can open your site up to a bunch of security risks. There are a few plugins that utilize this such as JetPack, but we don’t recommend using JetPack for performance reasons.
Disable XML-RPC
Follow the steps below to disable XML-RPC. Note: If you’re a Kinsta client, XML-RPC is already disabled by default.
Step 1
Click into the Perfmatters plugin settings.
Step 2
Make sure you’re on the “General” submenu.
Step 3
Toggle on “Disable XML-RPC.”
Step 4
Scroll down and click “Save Changes.” The endpoint for XML-RPC is now disabled.
The feature also removes the XML-RPC HTTP response header associated with it.
It also removes the following link tag from your site’s source code.
<link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://testing.local/xmlrpc.php?rsd" />
Verify XML-RPC is disabled
You can verify that XML-RPC is disabled by using this free XML-RPC validation tool. If you get an error such as the one below, then you are good to go.
Disable XML-RPC at server-level
If you need a more aggressive approach, you can also disable XML-RPC at the server-level.
Nginx
If you’re using an Nginx web server, add the following code to your Nginx config.
location ~* ^/xmlrpc.php$ {
deny all;
}
Apache
If you’re using an Apache web server, add the following code to your .htaccess
file.
<Files xmlrpc.php>
Order Allow,Deny
Deny from all
</Files>
Note that with the above approach, you might need to whitelist services like JetPack, or other solutions that utilize XML-RPC.