XML-RPC can be useful for external services to access your WordPress site, but can also cause additional resource usage and security issues from being active.
As a general rule, we recommend disabling any services you're not using, and depending on your particular use-case, XML-RPC might be one of them. Of course, keep in mind that some services such as Jetpack rely on XML-RPC and
In this article, we'll show you how to disable XML-RPC to gain additional performance and security on your site.
Disabling XML-RPC on the Server Level
The best way to block incoming XML-RPC requests is by blocking it on the server side of things. This way, anyone attempting to access XML-RPC will be immediately blocked before anything else is handled, such as PHP processes.
If you're using some services that use XML-RPC, such as Jetpack, XML-RPC requests can also be filtered to only allow requests from a particular service.
To block XML-RPC on the server side, contact support for more information.
Disabling XML-RPC via a WordPress Plugin
While not quite as effective as blocking on a server level, XML-RPC can also be blocked using a WordPress plugin. To do so, install the Disable XML-RPC plugin from the WordPress plugin repository.
Inside this plugin, there aren't any settings to define. Just activate the plugin and all XML-RPC requests will be disabled.