So what is XML-RPC and why is it a good idea to disable
XML-RPC for WordPress was designed to enable remote connections between your site and external applications. This means, users are able to interact with their WordPress site through different blogging platforms or phone apps. This was useful in the earlier days of the internet, when a person would want to edit content offline, and then connect to their WordPress blog later to publish it.
There are certain situations where users would wan to use XML-RPC. However, with advances in technology, the use and functionality of XML-RPC has been greatly reduced since its inception. As such, the original pros that this feature gave, has become outweighed by the potential security risks that are involved by leaving it enabled.
WHY SHOULD I DISABLE XML-RPC? As eluded to in the previous section, there are security risks associated with leaving XML-RPC enabled. These can include:
Brute Force Attacks - Where an attacker can use xml-rpc to test hundreds of username and password combinations until they are eventually able to gain access to your site. This occurs because xml-rpc does not have the same login attempt limit that exists when you log into WordPress normally. DDoS Attack - Where an attacker can use xml-rpc to pingback thousands of IPs. This allows them to send a flood of data and traffic which can cause overages and even have networks paralyzed and shutdown.
METHOD 1 - Plugin
1: Log into your WordPress Admin Dashboard 2: Click on PLUGINS >> ADD NEW 3: Search for "Disable XML-RPC and Install the "Disable XML-RPC Plugin" Simply activate the plugin and you are done! XML-RPC is now disabled.