With this step-by-step tutorial, we will go over how to disable WordPress XMLRPC without a plugin. Continue reading to learn more!

Before we begin, let’s identify what XMLRPC is used for. Remote communications between our website and external apps are made possible through XMLRPC. In other words, it enables consumers to engage with our WordPress website using different mobile apps or blogging services. This was useful in the early days of the Internet when users chose to edit blog posts offline before connecting and publishing them.

Unfortunately, the benefits provided by XMLRPC have diminished significantly over time. This is one of the factors contributing to the preference of many of our clients to disable WordPress XMLRPC.

Additionally, leaving WordPress’ XMLRPC enabled increases the danger of Brute force and DDoS assaults.

How to Disable WordPress XMLRPC:

The first step is to enter into your WordPress hosting account and go to File Manager in cPanel.

Next, locate the .htaccess file by going to the public html folder. The search bar can be used to locate this file as well. In rare circumstances, finding the htaccess file may require visiting settings and selecting Show hidden files.

Open the .htaccess file after that, and then add the following code to it:

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

Congratulations, you’ve now disabled XMLRPC on your WordPress website successfully, without the use of any third party plugins! If you are looking for a reliable WordPress hosting provider, be sure to take a look at RackNerd’s server hosting solutions below.

Server Hosting Solutions by RackNerd:

Shared Hosting
cPanel Web Hosting in US, Europe, and Asia datacenters
Logo
Reseller Hosting
Create your new income stream today with a reseller account
Logo
VPS (Virtual Private Server)
Fast and Affordable VPS services - Instantly Deployed
Logo
Dedicated Servers
Bare-metal servers, ideal for the performance-demanding use case.
Logo

Leave a comment

Your email address will not be published.