XML-RPC is a procedure that uses XML file encoding to make a remote call to your website. It is commonly used in WordPress blogs to allow a website owner to publish new posts using an editor like the WordPress mobile app.

Until 2015, WordPress had disabled access to the xmlrpc.php file by default. In 2015, the WordPress team decided to enable it again, taking into consideration a big increase in mobile browsing and new security enhancements. 

While greater security is good news, the xmlrpc.php file is still commonly targeted by brute force bots. These nuisance requests can consume the CPU/memory resources on your hosting plan and slow down your website. Security plugins can be useful in blocking bots. If they are still causing an issue and you don't have any need for xmlrpc.php to be enabled, you might want to completely disable access to xmlrpc.php using an .htaccess file.

You'll need to modify the .htaccess file which normally exists in the public_html directory of your website.

You should add this code to the file:

<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

If you use JetPack, here is alternative code which allows JetPack access but no one else:

<Files xmlrpc.php>
order deny,allow
deny from all
allow from 122.248.245.244/32
allow from 54.217.201.243/32
allow from 54.232.116.4/32
allow from 192.0.80.0/20
allow from 192.0.96.0/20
allow from 192.0.112.0/20
allow from 195.234.108.0/22
</Files>

The code above is only an example. Please keep a copy of your original .htaccess file in case you need to revert it.

Once you have amended the code, please test your website to make sure it's working as you'd expect.

If you encounter any issues, please open a support ticket and our team will be happy to investigate.

DISCLAIMER: The scripts provided in our knowledgebase are for informational purposes only. We do not provide any warranty or support. It is essential to review and modify the scripts to fit your site's specific needs. There may be unforeseen outcomes when adding new script code to an existing website. You should discuss it with your website manager and seek advice from an experienced website developer if you are unsure.

Updated by SP on 23/11/2022

Was this answer helpful? 0 Users Found This Useful (0 Votes)

Most Popular Articles

WordPress - How to reduce WP-Cron resource usage

WordPress software includes a WP-Cron.php file that carries out regular maintenance tasks on your...
Wordpress - Wordpress White Page (Screen of Death)

If your website is displaying a blank white page on the landing or homepage, this normally means...
Wordpress - Conflict between WordPress and Password Protected Directories

There is a common conflict between WordPress and password protected directories. If you have...
Wordpress - Login 'Not Acceptable' or Unable to Login

if you try to login to your WordPress admin area and you receive an error message “Not...
How to improve WordPress site performance with LSCache

LiteSpeed Cache (LSCache) has plenty of advanced features that can enhance the speed of your site...