xmlrpc.php in WordPress

The full form of XML-RPC is eXtensible Markup Language –¬†Remote Procedure Call.

What is xmlrpc.php – Basically the file xmlrpc.php is a feature of WordPress that enables data to be transmitted through your site with HTTP request. The transmitted data encoded with XML. WordPress also needs to communicate with other systems. The xmlrpc.php was there to sort this problem.

For example: If I want to create a post through my mobile device. I can use the remote access feature of xmlrpc.php that is enabled by WordPress.


Why Xmlrpc.php was created:

Before some time, the speed of the internet was very poor or we can say the connection speed was slow. The process of writing a post through the web was also very difficult and time-consuming. People prefer to write the post offline and paste the written post to the web. This process was also difficult.

The only solution was to create an offline system that can help users to directly upload their post data to the blog by making a connection with the blog. The connection was done by the xmlrpc.php file.

In the past, most apps use this feature to log in to their WordPress site from other devices.


Xmlrpc.php Nowadays

In version 2.3 of WordPress, there was an option to disable the XML-RPC feature. But after some time this feature was set to on by default and there was no option to turn it off.

When the Xmlrpc.php file was created, the size of this file was about 83KB. But now its size is about 3KB. It means the functionality of this file is decreased.


Why we should disable the XML-RPC feature

When this feature was introduced, nobody knows that it can also be used for brute force attacks on the site. We are not able to handle this problem because WordPress plugins can not modify this file.

Everyone uses a strong password to secure their account but what about this file. It allows the brute force attacks. To resolve this problem in WordPress you should disable it.

There are two major problems with this file. The first one is that it enables the brute force attack. The second problem is that also allows DDoS attacks. A hacker can perform a DDoS attack to put our site offline.

If you want to check that the XML-RPC feature is enabled on your site or not. Just use a tool called XML-RPC Validator. Run your site by this tool. If any error shows then it means the XML-RPC feature is disabled on your site but if you get any success message then it means the feature is active and you should disable it.


To disable the XML-RPC on your site. You need to follow some steps.

Click here to Disable the XML_RPC


If you have any doubts or problems you can comment below.

Leave a Reply

Your email address will not be published. Required fields are marked *