Why should I disable XML-RPC?

Why should I disable XML-RPC?

In short: XML-RPC is out of date, and a common attack vector for spammers. We recommend disabling xml-rpc on most WordPress sites. 

But I'm sure you want to know more...

What is XML-RPC

It's remote procedure calling using HTTP as the transport and XML as the encoding. XML-RPC is designed to be as simple as possible, while allowing complex data structures to be transmitted, processed and returned. From: http://xmlrpc.scripting.com/

In short, it's a way for different websites or systems to talk to each other. However, it's a really old way to do it and has been superseded by the WordPress Rest API project, which is so much better in so many ways.

It hangs around in WordPress for older plugins and systems to still use; but most sites never have a legitimate use for it. It is abused by spammers and hackers looking for an entry point to the system. Performance Foundry's web application firewall + Akismet's anti-spam features can block the worst of this behaviour, but it's safer to just turn it off.

What tools might still use it?

We're aware of the following plugins and tools that still use XML-RPC. 

This is not a complete list; it's just issues that we've run into through support. If you know of something that misbehaves without XML-RPC, please let us know by contacting support :)

  • If this, then that (last checked Q3, 2018)

How do I disable XML-RPC?

For Performance Foundry clients, it's simple. Log into your WordPress dashboard > Foundry Anvil settings and switch the 'Disable XML-RPC' tab to green:

In the screenshot above, XML-RPC is still accessible. Turn the switch green and save options to disable it.

Troubleshooting XML-RPC issues

If any issues arise, flick this switch back off, and contact Performance Foundry support so we can troubleshoot it. Normally, we only expect to see issues with external tools, not tools that run directly on your site.

    • Related Articles

    • Banned and naughty plugins: Does Performance Foundry ban plugins?

      Does Performance Foundry ban plugins? Yes, there are a very small number of plugins that are on a "hard ban" list. These are mainly plugins that duplicate services that run directly on our servers, or have been evaluated as causing serious security ...
    • Where can I find my sitemap?

      Firstly, what's a sitemap? A sitemap is a list of all the pages of your website. It’s used to tell search engines how your site is organised and what content it includes. Search engine bots (or web crawlers) use this file to crawl your site more ...
    • How to create and submit a Sitemap in WordPress

      What is a sitemap? Think of it as a bulk submission directly to Google of all the pages on your site, updated every time you create a new one. Google's definition:  A sitemap is a file where you can list the web pages of your site to tell Google and ...
    • Why do my links have "noopener noreferrer" on them?

      As of WordPress 4.7.4, when you create a link in a post that opens in a new tab (target="_blank"), the WordPress visual editor will automatically modify the link to include the following attributes: Google This new feature is to avoid a potentially ...
    • Common questions and issues

      Our support team is always happy to answer your questions! Some issues, though, can be resolved without our help — which means you can get on with your work. Here are some common issues that can often be sorted out quickly. My site is down/I can’t ...