Disable XML-RPC in WordPress

XML-RPC was added in WordPress 3.5 and allows for remote connections, and unless you are using your mobile device to post to WordPress it does more bad than good. In fact, it can open your site up to a bunch of security risks. There are a few plugins that utilize this such as JetPack, but we don’t recommend using JetPack for performance reasons.

You can disable XML-RPC in WordPress by adding the following code to your functions.php file:

 * Disable XML-RPC in WordPress
add_filter('xmlrpc_enabled', 'disable_xmlrpc');
function disable_xmlrpc($enabled) {
  return false;
// Remove the XML-RPC header
add_filter('wp_headers', 'remove_xmlrpc_header');
function remove_xmlrpc_header($headers) {
  return $headers;
// Remove the X-Pingback HTTP header
add_filter('wp_headers', 'remove_x_pingback_header');
function remove_x_pingback_header($headers) {
  return $headers;
// Remove the XML-RPC methods from the method list
add_filter('xmlrpc_methods', 'remove_xmlrpc_methods');
function remove_xmlrpc_methods($methods) {
  return $methods;

In this code, the xmlrpc_enabled filter is used to disable XML-RPC by returning false. The wp_headers filter is used to remove the X-Pingback HTTP header, and the xmlrpc_methods filter is used to remove the XML-RPC methods from the list of available methods.

By using these filters, this code provides a comprehensive solution for disabling XML-RPC in WordPress. Just copy and paste the code into your functions.php file, or add it to a custom plugin, to disable XML-RPC on your WordPress site.

Was this guide helpful?