Best way to eliminate xmlrpc.php?

Since WordPress 3.5 this option (XML-RPC) is enabled by default, and the ability to turn it off from WordPress dashboard is gone.

Add this code snippet for use in functions.php:

// Disable use XML-RPC
add_filter( 'xmlrpc_enabled', '__return_false' );

// Disable X-Pingback to header
add_filter( 'wp_headers', 'disable_x_pingback' );
function disable_x_pingback( $headers ) {
    unset( $headers['X-Pingback'] );

return $headers;
}

Although it does what it says, it can get intensive when a site is under attack by hitting it.
You may better off using following code snippet in your .htaccess file.

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order allow,deny
deny from all
</Files>

Or use this to disable access to the xmlrpc.php file from NGINX server block.

# nginx block xmlrpc.php requests
location /xmlrpc.php {
    deny all;
}

Be aware that disabling also can have impact on logins through mobile. If I am correct WordPress mobile app does need this.
See Codex for more information about the use of XML-RPC.

  • Please make always a backup of the file(s) before edit/add.

Edit/Update

@Prosti, -You are absolutely correct- about the options which RESTful API will offer for WordPress!

I forgot to mention this. It should already have been integrated into core (WordPress version 4.1) which was not possible at that time. But as it seems, will be core in WordPress 4.5 .

The alternative for the moment is this plugin: WordPress REST API (Version 2)
You can use it till Restful API is also core for WordPress.
Target date for release of WordPress 4.5. (April 12, 2016 (+3w))

For those who are interested in RESTful, on Stackoverflow is a very nice community wiki.

Leave a Comment

tech