Disable XML-RPC


Completely disables all XML-RPC related functions in WordPress including pingbacks and trackbacks, and helps prevent attacks on the xmlrpc.php file.

Our related OSS projects:

The Long Version

Does not affect the database whatsoever, nor change settings on existing posts/pages. This plugin only affects the main Discussion settings while disabling XML-RPC API functions. If you wish to “clean up” all posts and pages in your database e.g. turn off all their pingbacks and trackbacks or delete the old ones, please use a different plugin for that.

Lastly, it attempts to generate a 403 Denied error for requests to the /xmlrpc.php URL, but does not affect that file or your server in any way.


This plugin has been designed for use on LEMP (Nginx) web servers with PHP 7.0 and MySQL 5.7 to achieve best performance. All of our plugins are meant for single site WordPress installations only; for both performance and security reasons, we highly recommend against using WordPress Multisite for the vast majority of projects.

Plugin Features

  • Settings Page: No
  • Premium Version Available: Yes (Speed Demon)
  • Includes Media (Images, Icons, Etc): No
  • Includes CSS: No
  • Database Storage: Yes
    • Transients: No
    • Options: Yes
    • Creates New Tables: No
  • Database Queries: Backend Only (Options API)
  • Must-Use Support: Yes (Use With Autoloader)
  • Multisite Support: No
  • Uninstalls Data: Yes

WP Admin Notices

This plugin generates multiple Admin Notices in the WP Admin dashboard. The first is a notice that fires during plugin activation which recommends several related free plugins that we believe will enhance this plugin’s features; this notice will re-appear approximately once every 6 months as our code and recommendations evolve. The second is a notice that fires a few days after plugin activation which asks for a 5-star rating of this plugin on its WordPress.org profile page. This notice will re-appear approximately once every 9 months. These notices can be dismissed by clicking the (x) symbol in the upper right of the notice box. These notices may annoy or confuse certain users, but are appreciated by the majority of our userbase, who understand that these notices support our free contributions to the WordPress community while providing valuable (free) recommendations for optimizing their website.

If you feel that these notices are too annoying, than we encourage you to consider one or more of our upcoming premium plugins that combine several free plugin features into a single control panel, or even consider developing your own plugins for WordPress, if supporting free plugin authors is too frustrating for you. A final alternative would be to place the defined constant mentioned below inside of your wp-config.php file to manually hide this plugin’s nag notices:

define('DISABLE_NAG_NOTICES', true);

Note: This defined constant will only affect the notices mentioned above, and will not affect any other notices generated by this plugin or other plugins, such as one-time notices that communicate with admin-level users.

Code Inspiration

This plugin was partially inspired either in “code or concept” by the open-source software and discussions mentioned below:

Recommended Plugins

We invite you to check out a few other related free plugins that our team has also produced that you may find especially useful:

Premium Plugins

We invite you to check out a few premium plugins that our team has also produced that you may find especially useful:

Special Thanks

We thank the following groups for their generous contributions to the WordPress community which have particularly benefited us in developing our own free plugins and paid services:


We released this plugin in response to our managed hosting clients asking for better access to their server, and our primary goal will remain supporting that purpose. Although we are 100% open to fielding requests from the WordPress community, we kindly ask that you keep the above mentioned goals in mind, thanks!


  1. Upload to /wp-content/plugins/disable-xml-rpc-littlebizzy directory
  2. Activate via WP Admin > Plugins
  3. Test plugin is working by loading the /xmlrpc.php file URI


Installation Instructions
  1. Upload to /wp-content/plugins/disable-xml-rpc-littlebizzy directory
  2. Activate via WP Admin > Plugins
  3. Test plugin is working by loading the /xmlrpc.php file URI


Thank you!

Very helpful for my site. Thanks for this!

Simple and efficient

Despite hiding wp-login I was getting thousands of brute force login attempts. xml-rpc seemed to be the only possible leak.

So, I installed. I activated. Brute force login attempts stop.

Job done.

Lees alle 15 beoordelingen

Bijdragers & ontwikkelaars

“Disable XML-RPC” is open source software. De volgende personen hebben bijgedragen aan deze plugin.


Vertaal “Disable XML-RPC” naar jouw taal.

Interesse in ontwikkeling?

Bekijk de code, haal de SVN repository op, of abonneer je op het ontwikkellog via RSS.



  • updated recommended plugins


  • optimized plugin code
  • added warning to Multisite installations
  • updated recommended plugins
  • updated plugin meta


  • updated recommended plugins


  • better support for define('DISABLE_NAG_NOTICES', true);


  • tested with WP 4.9
  • updated plugin meta
  • partial support for define('DISABLE_NAG_NOTICES', true);


  • optimized plugin code
  • updated recommended plugins
  • added rating request


  • minor code tweaks
  • updated recommended plugins


  • added recommended plugins


  • initial release