Samuel Elh Blog

WordPress, PHP, Python and JavaScript tutorials and snippets

Disable XML-RPC (xmlrpc.php) in WordPress

As the titles states, this quick tutorial will help you disable access to XML-RPC in WordPress, mainly the xmlrpc.php core WordPress file.

If you have looked at some online tutorials and you were not successful to achieving the ban, then basically this tutorial will listen on init hook of WordPress fired upon WordPress initialization (before anything), and check if the current page is xmlrpc.php. If so, emulate an 403 Forbidden error and exit.

The code:

This code should be added to your child theme’s functions file, or through a custom plugin:

add_action("init", function() { 
	global $pagenow; // get current page
	if ( !empty($pagenow) && "xmlrpc.php" === $pagenow ) {
		header("HTTP/1.1 403 Forbidden" ); // Produce 403 error
		exit; // exit request

blocking xmlrpc wordpress before and after

Digital Ocean

Cheap Cloud SSD Hosting

Get a VPS now starting at $5/m, fast and perfect for WordPress and PHP applications

Sign Up with $10 Credit

1 Comment

  1. Or just simply:

    Don’t need to worry about client changing theme.

Leave a Reply

Your email address will not be published.


© 2018 Samuel Elh - Powered by WordPress, DigitalOcean & NameCheap

Theme by Anders NorenUp ↑

Subscribe to our mailing list

Sign up to receive updates about WordPress, free and premium plugins and themes in general and tips and tricks

* indicates required