XML-RPC is a remote access protocol in WordPress. While it enables features like mobile app posting, it's also a common attack vector for brute-force and DDoS amplification attacks.
Disable via .htaccess
Add to public_html/.htaccess:
<Files xmlrpc.php>\n Order Deny,Allow\n Deny from all\n</Files>This blocks all requests to xmlrpc.php. This prevents brute-force attacks that exploit XML-RPC authentication.
Disable via Plugin
Install Disable XML-RPC from the plugin directory. Activate it β that's all. The plugin adds a filter that disables XML-RPC without needing .htaccess changes.
When You Should Keep XML-RPC
If you use the WordPress mobile app, Jetpack, or third-party publishing tools that rely on XML-RPC, disabling it will break those integrations. In that case, disable brute-force XML-RPC attacks specifically by blocking requests that include auth credentials via Wordfence or Cloudflare WAF.