XML-RPC, an acronym for XML Remote Procedure Call, is a protocol that facilitates online system-to-system communication. With WordPress, it permits remote connections to your website, letting you interact with your WordPress installation through desktop applications, mobile apps, and other services.
While XML-RPC has its uses, attackers can exploit it for brute force attacks, which attempt to guess your password by making numerous login attempts. Attackers can also use the protocol to launch DDoS (Distributed Denial of Service) attacks on your site. Additionally, attackers often target XML-RPC, which can result in unnecessary server load and performance issues, particularly on high-traffic sites.
The WordPress REST API has made many of the functions previously handled by XML-RPC more secure and efficient. As a result, many users no longer need XML-RPC.
If you need to disable XML-RPC for your WordPress website, add the following code snippet at the bottom of your theme's functions.php file:
// Disable XML-RPC
add_filter('xmlrpc_enabled', '__return_false');
