Why should I disable XML-RPC?

In short: XML-RPC is out of date, and a common attack vector for spammers. We recommend disabling xml-rpc on most WordPress sites. 

But I'm sure you want to know more...

What is XML-RPC

It's remote procedure calling using HTTP as the transport and XML as the encoding. XML-RPC is designed to be as simple as possible, while allowing complex data structures to be transmitted, processed and returned. From:  http://xmlrpc.scripting.com/

In short, it's a way for different websites or systems to talk to each other. However, it's a really old way to do it and has been superseded by the WordPress Rest API project, which is so much better in so many ways.

It hangs around in WordPress for older plugins and systems to still use; but most sites never have a legitimate use for it. It is abused by spammers and hackers looking for an entry point to the system. Performance Foundry's web application firewall + Akismet's anti-spam features can block the worst of this behaviour, but it's safer to just turn it off.

What tools might still use it?

We're aware of the following plugins and tools that still use XML-RPC. 

This is not a complete list; it's just issues that we've run into through support. If you know of something that misbehaves without XML-RPC, please let us know by contacting support :)

  • If this, then that (last checked Q3, 2018)

How do I disable XML-RPC?

For Performance Foundry clients, it's simple. Log into your WordPress dashboard > Foundry Anvil settings and switch the 'Disable XML-RPC' tab to green:

In the screenshot above, XML-RPC is still accessible. Turn the switch green and save options to disable it.

Troubleshooting XML-RPC issues

If any issues arise, flick this switch back off, and contact Performance Foundry support so we can troubleshoot it. Normally, we only expect to see issues with external tools, not tools that run directly on your site.