What Is Xmlrpc.php in WordPress? Why disable it?

Table of contents

    What is Xmlrpc.php?

    XML-RPC is a way to let your WordPress website communicate with outside websites/services.

    If you use the WordPress mobile app, for example, it requires this file in order to connect to your website.

    Why disable Xmlrpc.php?

    In short, it’s a security risk. It isn’t used by many things nowadays and we auto-disable it by default on all of our websites. There are a small handful of users who have requested it be enabled, but we highly advise against this.

    In the same way it allows other websites/services to access your website to add content/etc, hackers can also use this to brute force attack your website.

    Hackers can also use the file to DDoS your website and take it down (by overwhelming your hosting).

    Because of the ways xmlrpc.php can be abused, disabling it generally also lowers server resources needed to run your website, so it can also speed up your website. It’s really a win-win to disable it.