JPKCom Disable XML-RPC — Guide & Tips
Disable WordPress XML-RPC site-wide with JPKCom Disable XML-RPC — installation, requirements and security tips.
JPKCom Disable XML-RPC disables the WordPress XML-RPC interface globally. Useful when you don't need this legacy remote interface and want to close its attack surface.
Guide
Requirements
- WordPress 6.9 or newer (tested up to WordPress 7.0)
- PHP 8.3 or newer
Installation
- In your admin panel, go to Plugins → Add New and click Upload Plugin.
- Choose the plugin's ZIP file and click Install Now.
- Click Activate.
How it works
There is no settings page — once active, the plugin disables XML-RPC for the entire installation.
Tips & Tricks
- Reduce attack surface: XML-RPC is a common entry point for brute-force and pingback attacks. If you don't use services that strictly require XML-RPC, you can safely disable the interface.
- Check what relies on XML-RPC first: Some external services or older app integrations still talk to WordPress via XML-RPC. Make sure you don't rely on such an integration before disabling it globally.
- Reproducible updates: Since version 1.0.2 the plugin uses secure self-hosted updates via GitHub with SHA256 checksums, runs with
declare(strict_types=1), types the callbacks and sanitizes$_SERVERaccess.
Further reading
- Source code on GitHub: https://github.com/JPKCom/jpkcom-disable-xmlrpc
- API documentation (PHPDoc): https://jpkcom.github.io/jpkcom-disable-xmlrpc/docs/
- This project's changelog