Skip to main content
XML-RPC is a Remote Procedure Call method that uses XML over HTTP. WordPress is configured to use an XML-RPC interface out of the box that enables other websites or apps to interact with your site. XML-RPC requires valid XML to be sent via HTTP posts, but leaving it enabled is a potential security risk because it can be used for SQL injection attacks, Server Side Forgery, and other malicious activities. This article shows how to disable XML-RPC in WordPress using the A2 Optimized for WordPress plugin.

Disabling XML-RPC

To disable XML-RPC using the A2 Optimized for WordPress plugin, follow these steps:
  1. Log in to your WordPress site as the administrator.
  2. Under Dashboard, click A2 Optimized:
    A2 Optimized WP - Dashboard menu
  3. Click the Optimization tab:
    A2 Optimized WP - Optimization tab
  4. In the left sidebar, click Security:
    A2 Optimized WP - Sidebar - Security
  5. In the SECURITY section, at the bottom click More Optimizations:
    A2 Optimized WP - Security - More Optimizations
  6. In the Block Unauthorized XML-RPC Requests row, click the slider to enable or disable blocking:
    A2 Optimized WP - Security - XML-RPC slider

More information

For more information about the XML-RPC service for WordPress, please visit https://codex.wordpress.org/XML-RPC_Support.