Best way to eliminate xmlrpc.php?

Since WordPress 3.5 this option (XML-RPC) is enabled by default, and the ability to turn it off from WordPress dashboard is gone.

Add this code snippet for use in functions.php: 

// Disable use XML-RPC
add_filter( 'xmlrpc_enabled', '__return_false' );

// Disable X-Pingback to header
add_filter( 'wp_headers', 'disable_x_pingback' );
function disable_x_pingback( $headers ) {
    unset( $headers['X-Pingback'] );

return $headers;
}

Although it does what it says, it can get intensive when a site is under attack by hitting it.
You may better off using following code snippet in your .htaccess file.

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order allow,deny
deny from all
</Files>

Or use this to disable access to the xmlrpc.php file from NGINX server block.

# nginx block xmlrpc.php requests
location /xmlrpc.php {
    deny all;
}

Be aware that disabling also can have impact on logins through mobile. If I am correct WordPress mobile app does need this.
See Codex for more information about the use of XML-RPC.

  • Please make always a backup of the file(s) before edit/add.

Edit/Update

@Prosti, -You are absolutely correct- about the options which RESTful API will offer for WordPress!

I forgot to mention this. It should already have been integrated into core (WordPress version 4.1) which was not possible at that time. But as it seems, will be core in WordPress 4.5 .

The alternative for the moment is this plugin: WordPress REST API (Version 2)
You can use it till Restful API is also core for WordPress.
Target date for release of WordPress 4.5. (April 12, 2016 (+3w))

For those who are interested in RESTful, on Stackoverflow is a very nice community wiki.

Related Posts:

  1. Is moving wp-config outside the web root really beneficial?
  2. Hide the fact a site is using WordPress?
  3. Prevent setup-config.php page from appearing when host blocks database
  4. wp.getUsersBlogs XMLRPC Brute Force Attack/Vulnerability
  5. How to secure WordPress XMLRPC?
  6. How to disable XML-RPC from Linux command-line in a total way?
  7. WordPress Malware Problem help! [duplicate]
  8. neccessary?
  9. XML-RPC errors they know my username?
  10. Best practices to assert current_user_can() with guests
  11. XMLRPC slow and weird websites/services
  12. Can I Remove xmlrpc.php completely?
  13. 404/500 error on content images if Referer header is from another domain [closed]
  14. Checking for origin of a xmlrpc request
  15. WordPress Security tools
  16. What’s the best approach for generating a new API key?
  17. Simplest two-way encryption using PHP
  18. How does the SQL injection from the “Bobby Tables” XKCD comic work?
  19. how fix “this certificate cannot be verified up to a trusted certification authority”
  20. How can bcrypt have built-in salts?
  21. Getting a List of Currently Available Roles on a WordPress Site?
  22. What’s the easiest way to stop WP from ever logging me out
  23. If a hacker changed the blog_charset to UTF-7 does that make WordPress vulnerable to further attacks?
  24. Prevent access or auto-delete readme.html, license.txt, wp-config-sample.php
  25. What’s the difference between esc_* functions?
  26. How to set up fail2ban with WordFence?
  27. Which KSES should be used and when?
  28. How to remove “Connection Information” requirement on localhost install of WP on MACOSX
  29. WordPress “Site Health Status” trust it or myself for its security advice?
  30. Generate WordPress salt
  31. Stop wordpress automatically escaping $_POST data
  32. Is WP vulnerable when updating plugins or themes?
  33. how can i embed wordpress backend in iframe
  34. Garbage in beginning of wp-config.php – was this WP installation compromised?
  35. Have multiple local wordpress installs share a wp-content folder and database
  36. Can I force a password change?
  37. What is the relationship between cURL, WordPress and cacert.pem?
  38. Save metabox checkboxes values to custom content type
  39. Is it necessary to use esc_url with template tags such as get_permalink?
  40. What is pclzip.lib.php file that wordfence think it’s a malicious code
  41. How to prevent bot or someone to modify any file automatically?
  42. HTTP Security Headers in wp-config
  43. How to remove javascript malware in wordpress site [closed]
  44. Staging Site: Made Public – Security Questions
  45. Best Way to Enable Two Step Authentication
  46. Securing my WordPress Files and Directories
  47. Securing a multi-user permission structure
  48. Is default functions like update_post_meta safe to use user inputs?
  49. No option “I would like my site to be private, visible only to users I choose” in Privacy Settings
  50. Securing wp-config leads to sensitive information leak on wp-settings
  51. Preventing BFA in WordPress without using a plugin
  52. Suspicious Files
  53. What’s the point of forbidding access to wp-config.php?
  54. wp-json and what data does it give away?
  55. Is is necessary to use security plugin for wordpress? [closed]
  56. Simple Online Payment for Event Registration [closed]
  57. Client side HTTP parameter pollution (reflected)
  58. Local file inclusion critical security issue [closed]
  59. my wordpress website is suspended [closed]
  60. iTheme Security always lockout my account [closed]
  61. Is it sensible to worry about sanitizing admin input in plugin custom CSS?
  62. WordPress Front end Form – Enable to Submit PHP Codes
  63. Is it safe use wp_editor in public contact form
  64. Is WordPress MultiSite secure & how much can it scale? [closed]
  65. How to find exploited wordpress plugin [closed]
  66. How safe is current_user_can()?
  67. Is it safe to give wordpress directories ownership to www-data?
  68. Do we need to escape data that we receive from theme options?
  69. Best Way to Add UnEditable HTML to Posts
  70. Why does WordPress change a file’s permissions?
  71. Side effects of disallowing *.php requests in production environment?
  72. Outgoing new connection to linked Websites – why?
  73. My Site keeps crashing due to the wp-confg file being deleted
  74. Insert menu with a custom walker into page / post body using shortcode?
  75. Someone keeps changing my SITEURL (mysql injection or xss?) [closed]
  76. Replace domain in database
  77. What highest security brake with wordpress and static files?
  78. Spam in WordPress root folder
  79. Has anyone developed a anti-spam plugin to simply allow users to BLOCK whatever they wish to, but one that will also go easy on IP addresses?
  80. 404 errors when updating options in admin dashboard
  81. HSTS header not being added correctly
  82. how to protect wordpress content from crawler
  83. Should I worry about SQL injection when using REST API?
  84. Problems with setting up a subdomain to serve images and scripts
  85. Cannot access wp admin of WordPress website (security plugin issue) [closed]
  86. Why are the latest visits to my website originating from my own website?
  87. How do I hide WordPress users from security scanning?
  88. Background Updates Not Happening
  89. wp-config.php file and code injection
  90. Add default content to post (for specific category)
  91. FORCE_SSL_ADMIN affecting subdomains
  92. What is the best security $_POST method?
  93. How can you find and replace text in wordpress files on localhost xampp folders?
  94. Should WordPress Add Options to Enhance Security or Leave it to plugin developers? [closed]
  95. Directory to store secure file
  96. How can I give someone server access to only duplicate and modify a site?
  97. WP-JSON: Cross Origin Resource Sharing Vulnerability?
  98. How can I implement ansible with per-host passwords, securely?
  99. Can you alter the default wordpress strong password requirements?
  100. how to sanitizing $_POST with the correct way?

Leave a Comment

tech