Disable XML-RPC


Simpel gezegd, deze plugin gebruikt het ingebouwde WordPress filter “xmlrpc_enabled” om de XML-RPC API uit te schakelen op een WordPress site met 3.5 of hoger.

Beginning in 3.5, XML-RPC is enabled by default. Additionally, the option to disable/enable XML-RPC was removed. For various reasons, site owners may wish to disable this functionality. This plugin provides an easy way to do so.


  • An example of the error that the WordPress mobile app will return when this plugin is enabled. This is expected and indicates that the plugin is working as intended.
  • An example of a curl command attempting to request data via XML-RPC calls to the site when the plugin is enabled. The error "XML-RPC services are disabled on this site" is expected and indicates that the plugin is working as intended.
  • An example of Danilo Ercoli's XML-RPC validator run against the site when the plugin is enabled. The error "Method not allowed" is expected and indicates that the plugin is working as intended.


  1. Upload the disable-xml-rpc directory to the /wp-content/plugins/ directory in your WordPress installation
  2. Activeer de plugin via het ‘Plugins’ menu in WordPress
  3. De WordPress XML-RPC methoden zijn nu uitgeschakeld!

To re-enable XML-RPC, just deactivate the plugin through the ‘Plugins’ menu.

View the FAQ about “How do I know if the plugin is working?” to verify that this is working as intended.


Is er een beheer interface voor deze plugin?

Nee. Deze plugin is zo eenvoudig als XML-RPC is uitgeschakeld (plugin geactiveerd) of XML-RPC is ingeschakeld (plugin is gedeactiveerd).

Hoe weet ik of de plugin werkt?

Er zijn een paar eenvoudige methoden om te controleren of XML-RPC is uitgeschakeld:

  1. Try using an XML-RPC WordPress client, like the official WordPress mobile apps. The WordPress mobile app should tell you that “XML-RPC services are disabled on this site” if the plugin is activated.
  2. Use the curl command to send an XML-RPC request to your site. If the response contains “XML-RPC services are disabled on this site” then the plugin is working properly and WordPress will not send data back to XML-RPC requests.
  3. Try the XML-RPC Validator, written by Danilo Ercoli of the Automattic Mobile Team – the tool is available at https://xmlrpc-check.hostpress.me/. Information and source code for the tool are available on GitHub at https://github.com/daniloercoli/WordPress-XML-RPC-Validator. Keep in mind that you want the validator to fail and tell you that XML-RPC services are disabled.

Bekijk de schermafbeeldingen voor voorbeelden van wat deze tools laten zien wanneer de plugin is ingeschakeld.

Er lijkt iets niet goed te werken

If the plugin is activated, but XML-RPC appears to still be working … OR … the plugin is deactivated, but XML-RPC is not working, then it’s possible that another plugin or theme function is affecting the xmlrpc_enabled filter. Additionally, server configurations could be blocking XML-RPC (i.e. blocking access to xmlrpc.php in the .htaccess file).


18 augustus 2021
I have used this product on a dozen of the websites I have built and have had positive results without exception. This plugin simplifies the process of securing my websites by disabling XML-RPC, and has worked on all versions of WordPress I have used it with over the past couple of years. Great product, Highly recommended!
5 juni 2020
I'll add my voice to the growing choir of people saying this plugin no long works, unfortunately. At least not with WordPress v5.4.1. On the plus, all one has to do is change the permission of the xmlrpc.php (in the root of any WordPress domain) to 600, and problem solved.
Lees alle 25 beoordelingen

Bijdragers & ontwikkelaars

“Disable XML-RPC” is open source software. De volgende personen hebben bijgedragen aan deze plugin.


Vertaal “Disable XML-RPC” naar jouw taal.

Interesse in ontwikkeling?

Bekijk de code, haal de SVN repository op, of abonneer je op het ontwikkellog via RSS.



  • Blank lines removed from the plugin file.


  • Eerste release