Most WordPress sites should block or restrict xmlrpc.php if they do not use legacy mobile publishing, pingbacks, Jetpack features or remote integrations that still depend on it. The safe choice is to audit dependencies first, then block, restrict or allowlist based on evidence.
XML-RPC risk depends on site configuration, plugins, traffic and whether any trusted integration still needs the endpoint. Treat the change like a security control: audit dependencies, block or restrict carefully, verify expected workflows and keep a rollback path.
| Situation | Recommended action | Reason |
|---|---|---|
| No known XML-RPC use | Block xmlrpc.php | Reduces an unnecessary attack surface. |
| Jetpack or mobile app depends on it | Restrict or allowlist | Keeps required workflow while reducing exposure. |
| Unknown dependencies | Audit first | Avoid breaking publishing or remote services. |
| Active abuse | Block or rate-limit at server/WAF | Stops traffic before WordPress handles it. |
| Check | How |
|---|---|
| Jetpack | Confirm whether current features use XML-RPC in this setup. |
| Mobile app publishing | Ask editors before blocking. |
| Pingbacks | Disable if not intentionally used. |
| Remote management tools | Review plugin docs and logs. |
| Server logs | Identify legitimate IPs before allowlisting. |
| Layer | Use when |
|---|---|
| Plugin | You need a quick low-risk test. |
| Apache .htaccess | Apache handles the site and you can edit safely. |
| Nginx location block | Nginx serves PHP requests. |
| WAF or CDN | You want edge filtering before traffic reaches the server. |
| IP allowlist | A trusted service still needs XML-RPC. |
After blocking or restricting xmlrpc.php, test login, publishing workflow, Jetpack if used, mobile apps, availability monitors and any remote integration. Then watch server logs for repeated attempts.
Keep a rollback note. If a legitimate service breaks, prefer an allowlist or authenticated path rather than reopening XML-RPC to the whole internet.
Repeated POST requests to xmlrpc.php, high CPU during login attempts or many failed authentication logs can indicate abuse. Rate limiting, WAF rules and server-level blocks are often more effective than only hiding the endpoint in WordPress settings.
For VPS users, review web server logs and fail2ban or WAF events after the change.
If the site does not need XML-RPC, block it at the server or WAF layer and monitor logs. If a verified service needs it, restrict by IP, authentication or rate limits instead of leaving it fully open.
Use this page to choose whether xmlrpc.php should be blocked, restricted, rate-limited or monitored. The practical question is not whether XML-RPC sounds risky; it is whether this site still has a verified dependency that needs the endpoint.
For production sites, do not paste server rules without a recovery path. Check Jetpack, mobile publishing, pingbacks, remote management tools, server logs, WAF rules and config syntax before applying a block.
| Risk | Control |
|---|---|
| Unverified dependencies | Check Jetpack, mobile apps, pingbacks, remote management tools and access logs before blocking the endpoint. |
| Production breakage | Back up config, test Apache or Nginx syntax, keep a rollback rule and apply changes during low traffic when possible. |
| Hidden ownership gaps | Document where the block lives, who owns allowlists, how logs are reviewed and how to reopen access safely if needed. |
| Wrong success metric | Measure reduced XML-RPC abuse, stable publishing workflows, fewer failed login bursts, normal CPU load and clean error logs. |
A good outcome is specific and observable. The WordPress security posture should be easier to operate, easier to troubleshoot and safer to change. The team should know what changed, why it changed, where the backup lives, which links or dashboards matter, and what should be checked after the next update.
If the work is customer-facing, review it from the visitor's point of view as well as the administrator's point of view. A technically correct setup can still fail if the page is confusing, the checkout path is unclear, the lead form is too broad, or the server location does not match the real audience.
After the change goes live, verify the public URL, metadata, links, forms, checkout paths, logs and any dashboards that prove the work is functioning. For WordPress and WooCommerce pages, also check that Gutenberg blocks are balanced, Rank Math title and description are intentional, and old risky claims did not remain in cached content.
No. Audit dependencies first. Some legacy workflows, services or mobile publishing setups may still need it.
A plugin can help, but server or WAF rules usually stop abusive requests earlier.
Request the endpoint with curl or a browser and check the response. A default WordPress endpoint often returns an XML-RPC message for GET requests and accepts POST requests. After blocking, confirm the expected 403, 404 or WAF response and check server logs.
Yes, a WAF or CDN rule can block or challenge requests before they reach WordPress. This is useful when abuse is heavy, but verified integrations may need an allowlist, rate limit or separate authenticated path.
Allowlisting is useful when a verified service still needs XML-RPC and has stable source IPs.