Skip to main content

XML-RPC in WordPress: what it is 🧩

XML-RPC is a WordPress feature (available at https://your-site.com/xmlrpc.php) that lets external apps/services communicate with your site using a remote procedure call protocol (XML over HTTP).

Common legitimate uses

  • Jetpack (some features rely on XML-RPC depending on configuration)
  • Mobile/desktop apps that publish posts remotely
  • Some automation/integration tools
  • Historically: pingbacks/trackbacks (these are largely outdated and often abused)

Why people disable it 🔒

XML-RPC is not “insecure by default,” but it’s a frequent target because:

  1. Brute-force login attempts
    • Attackers can try many passwords efficiently via system.multicall.
  2. DDoS amplification / abuse
    • Especially via pingback mechanisms on sites that allow it.
  3. It’s often unnecessary
    • Many modern setups use the REST API instead.

Should you disable it in SpinupWP? ✅

If you don’t explicitly need XML-RPC, then yes—disable it. This is a common hardening step and usually reduces attack noise meaningfully.

Keep it enabled if you rely on it

Don’t disable (or disable partially) if you use:

  • Jetpack features that require XML-RPC
  • A mobile publishing app or legacy integration that depends on xmlrpc.php
  • Certain third-party services that still use XML-RPC to post/update content

If you’re unsure, check your logs for requests to /xmlrpc.php and confirm whether any are coming from known services you use.

What “disabling” should mean (best practice)

Ideally, you want one of these outcomes:

  1. Block XML-RPC entirely
    Best if you never use it.
  2. Disable only pingbacks (but keep other methods)
    Useful if you need XML-RPC for publishing/Jetpack but want to stop common abuse.

SpinupWP typically offers server-level controls (e.g., Nginx rules) or guidance to block xmlrpc.php. If you tell me how you’re planning to disable it (SpinupWP toggle, custom Nginx snippet, plugin), I can advise the safest approach.

Quick decision checklist 🧠

  • You use Jetpack and depend on its remote features → Don’t disable blindly (consider disabling pingbacks only).
  • You never publish remotely, don’t use Jetpack, and don’t need legacy integrations → Disable it.
  • You’re getting lots of suspicious hits to /xmlrpc.phpDisable or restrict it (and consider adding rate-limiting/WAF).

If you share whether you use Jetpack, any mobile publishing, or specific integrations, I’ll recommend the most appropriate SpinupWP configuration.

Back to top