As the titles states, this quick tutorial will help you disable access to XML-RPC in WordPress, mainly the xmlrpc.php core WordPress file.

If you have looked at some online tutorials and you were not successful to achieving the ban, then basically this tutorial will listen on init hook of WordPress fired upon WordPress initialization (before anything), and check if the current page is xmlrpc.php. If so, emulate an 403 Forbidden error and exit.

The code:

This code should be added to your child theme’s functions file, or through a custom plugin:

add_action("init", function() { 
	global $pagenow; // get current page
	if ( !empty($pagenow) && "xmlrpc.php" === $pagenow ) {
		header("HTTP/1.1 403 Forbidden" ); // Produce 403 error
		exit; // exit request
	} return;

blocking xmlrpc wordpress before and after

Digital Ocean

Cheap Cloud SSD Hosting

Get a VPS now starting at $5/m, fast and perfect for WordPress and PHP applications

Sign Up with $10 Credit