# JPKCom Disable XML-RPC — Guide & Tips

> Disable WordPress XML-RPC site-wide with JPKCom Disable XML-RPC — installation, requirements and security tips.

Source: https://www.jpkc.com/db/en/guides/jpkcom-disable-xmlrpc/

JPKCom Disable XML-RPC disables the WordPress XML-RPC interface globally. Useful when you don't need this legacy remote interface and want to close its attack surface.

## Guide

### Requirements

- WordPress **6.9** or newer (tested up to WordPress 7.0)
- PHP **8.3** or newer

### Installation

1. In your admin panel, go to **Plugins → Add New** and click **Upload Plugin**.
2. Choose the plugin's ZIP file and click **Install Now**.
3. Click **Activate**.

### How it works

There is **no settings page** — once active, the plugin disables XML-RPC for the entire installation.

## Tips & Tricks

- **Reduce attack surface:** XML-RPC is a common entry point for brute-force and pingback attacks. If you don't use services that strictly require XML-RPC, you can safely disable the interface.
- **Check what relies on XML-RPC first:** Some external services or older app integrations still talk to WordPress via XML-RPC. Make sure you don't rely on such an integration before disabling it globally.
- **Reproducible updates:** Since version 1.0.2 the plugin uses secure self-hosted updates via GitHub with SHA256 checksums, runs with `declare(strict_types=1)`, types the callbacks and sanitizes `$_SERVER` access.

## Further reading

- Source code on GitHub: <https://github.com/JPKCom/jpkcom-disable-xmlrpc>
- API documentation (PHPDoc): <https://jpkcom.github.io/jpkcom-disable-xmlrpc/docs/>
- [This project's changelog](https://www.jpkc.com/db/en/changelog/jpkcom-disable-xmlrpc/)