XML-RPC, WordPress’s Remote Publishing interface, has had major security issues in the past. Because of this it was turned off by default and required users to manually enable it via Settings » Writing » Remote Publishing.
But, no longer. The folks behind the XML-RPC protocol have made major improvements and WordPress developers believe it no longer poses a significant security risk. Therefore, in WordPress 3.5, XML-RPC is enabled by default. You can turn it off if necessary, but the process is a bit more difficult now.
Quite a bit has changed since we introduced off-by-default for XML-RPC. Their code has improved, and it is no longer considered a second-class citizen when it comes to API development, thanks to the work of a large team of awesome contributors. Security is no greater a concern than the rest of core.
There is no longer a compelling reason to disable this by default. It’s time we should remove the option entirely.
Source: Andrew Nacin, WordPress Developer
XML-RPC is a method WordPress uses to perform remote procedure calls (RPC). Which basically means WordPress connects your blog with other outside devices and services, allowing them to remotely perform certain operations within WordPress.
- Create, edit, and delete posts and pages.
- Create, edit, and delete comments.
- Retrieve recent posts, lists of categories, tags, authors, etc.
XML-RPC is also required to use online services like, Hoot Suite, IFTTT, and others. Certain plugins that share, schedule, or update your content may also require it.
While having XMLRPC enabled presents a relatively low risk and can add a lot of functionality to your site, not everyone will want to leave it enabled. For those that don’t need it, you have a couple of options for disabling XML-RPC in WordPress 3.5. The old UI and database options are now gone, so you either have to add this filter recommended by WordPress.org:
to your wpconfig.php file somewhere after the line:
We recommend using a plugin because it is fast and easy to implement and it’s easy to re-enable XMLRPC again if necessary by simply deactivating the plugin. Additionally, editing the wpconfig.php file directly will be overwritten the next time you update WordPress, causing XML-RPC to be re-enabled.
If you don’t use any mobile apps, blog publishing tools, plugins, etc., to remotely publish or edit content on your site, you may want to disable XML-RPC. Just remember, if you change your mind in the future, or forget you disabled it and try to use a product or service that depends on XML-RPC, it won’t work until you re-enable it.
What Do You Think?
Will you be leaving XML-RPC enabled on your site, or turning it off? Let us know in the comments below. We’d love to hear from you.
And, if you found this post helpful, please share it!