XML-RPC and WordPress

So, have you try to type this at WordPress URL Bar: https://some.wordpress.site/wp-json and find out the XML syntax all over the page?

Some say it was a feature, some say it was a backdoor. If you own a WordPress site with XML-RPC enabled, do not be scared. It is normal. It is a functioning XML-RPC call. But if you want to shut it off, do the following.

  1. Edit .htaccess. Add the next line:
    Redirect 301 /xmlrpc.php https://www.google.com
  2. Edit /wp-content/themes/your_theme/functions.php with the following code:
add_filter( 'rest_authentication_errors', function( $result ) {
// If a previous authentication check was applied,
// pass that result along without modification.
if ( true === $result || is_wp_error( $result ) ) {
return $result;
// No authentication has been performed yet.
    // Return an error if user is not logged in.
    if ( ! is_user_logged_in() ) {
        return new WP_Error(
            __( 'You are not currently logged in.' ),
            array( 'status' => 401 )

    // Our custom authentication check should have no effect
    // on logged-in requests
    return $result;

Taken from:

1. https://www.shellhacks.com/wordpress-disable-rest-api-restrict-access/

2. https://wpdynamic.com/wordpress-developer/wordpress-code-snippets/how-to-disable-the-wordpress-json-rest-api-without-plugin/

3. https://www.greengeeks.com/tutorials/how-to-enable-and-disable-xmlrpc-php-in-wordpress-and-why/

Work till death do me part.

Leave a Reply