If you look at the access logs for a WordPress site, one pattern you will see repeatedly is automated requests to a file called xmlrpc.php. These are not legitimate visitors - they are bots probing your site for a vulnerability they can exploit. XML-RPC is one of the most commonly targeted entry points on WordPress installations, and for the vast majority of websites, it can be safely disabled entirely.
What XML-RPC Is
XML-RPC (Extensible Markup Language Remote Procedure Call) is an API that allows external applications to communicate with your WordPress site over HTTP. It predates the modern WordPress REST API and was the original way apps like the WordPress mobile app, desktop blogging clients like Windows Live Writer, and services like Jetpack communicated with your site remotely.
The file xmlrpc.php sits in your WordPress root directory and responds to authenticated requests that can do things like publish posts, manage comments, and retrieve content. It is enabled by default on every WordPress installation.
Why Attackers Target It
The main vulnerability is a feature called system.multicall, which allows a single XML-RPC request to execute multiple commands at once. Attackers exploit this to run hundreds or thousands of login attempts inside a single HTTP request - something that would be much harder and slower through the regular login page, where each attempt requires a separate request.
This means XML-RPC amplification attacks can test enormous numbers of password combinations while generating relatively little network traffic, making them harder to block with simple rate limiting. Even failed attacks consume server resources and can slow down your site for real visitors.
Attackers also use compromised WordPress sites as amplifiers in distributed denial-of-service (DDoS) attacks, using xmlrpc.php to relay traffic and overwhelm other targets.
Why Most Sites Do Not Need It
The WordPress mobile app now uses the REST API instead of XML-RPC, so if you only manage your site from the WordPress dashboard in a browser, you have no use for it at all.
The main legitimate uses that still depend on XML-RPC are:
- Jetpack - Some older Jetpack features used XML-RPC, though Jetpack has largely moved to its own API. If you use Jetpack, check their documentation before disabling XML-RPC.
- Old mobile app versions - Very old installs of the WordPress iOS or Android app.
- Third-party publishing tools - Some older desktop blogging clients still use XML-RPC.
For most Canadian small business websites, none of these apply. If you are not sure, disable XML-RPC and test your site - if anything breaks, you will know immediately.
How to Disable XML-RPC
Method 1: Plugin (easiest)
Install the free plugin Disable XML-RPC from the WordPress plugin directory. It does exactly one thing and does it well. No configuration needed - activate it and it is done.
If you already use a security plugin like Wordfence or iThemes Security, check whether it has a built-in option to disable XML-RPC before adding another plugin.
Method 2: .htaccess block
Add the following to your .htaccess file (found in your WordPress root directory, accessible via cPanel File Manager or FTP):
# Block WordPress xmlrpc.php
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>
This prevents any requests to xmlrpc.php from being processed by WordPress at all, blocking the file at the server level before WordPress even loads.
Method 3: Filter in functions.php
You can add a filter to your theme's functions.php file or a custom plugin to disable XML-RPC at the WordPress application level:
add_filter('xmlrpc_enabled', '__return_false');
This is the softest approach - the file still responds but reports that XML-RPC is disabled.
For the strongest protection, the .htaccess method or a combination approach is best.
Checking That It Is Actually Disabled
After disabling XML-RPC, verify it worked. Visit https://yourdomain.ca/xmlrpc.php in your browser. If you see a blank page, a 403 Forbidden error, or a "Not Found" error, it is blocked. If you see a message that says "XML-RPC server accepts POST requests only," it is still accessible and your disabling method did not work as expected.
You can also use the free online tool at xmlrpc.eritreo.it to test whether your site responds to XML-RPC requests.
One More Thing: Protect the Login Page Too
Once XML-RPC is disabled, brute force attempts will shift to your regular login page at /wp-login.php. Limit login attempts with a plugin like Limit Login Attempts Reloaded and consider enabling two-factor authentication. A secure WordPress site addresses multiple entry points, not just one.
