Disable XML-RPC


Completely disables all XML-RPC related functions in WordPress including pingbacks and trackbacks, and helps prevent attacks on the xmlrpc.php file.

Current Features

Does not affect the database whatsoever, nor change settings on existing posts/pages. This plugin only affects the main Discussion settings while disabling XML-RPC API functions. If you wish to “clean up” all posts and pages in your database e.g. turn off all their pingbacks and trackbacks or delete the old ones, please use a different plugin for that.

Lastly, it attempts to generate a 403 Denied error for requests to the /xmlrpc.php URL, but does not affect that file or your server in any way.


This plugin has been designed for use on SlickStack web servers with PHP 7.2 and MySQL 5.7 to achieve best performance. All of our plugins are meant for single site WordPress installations only; for both performance and usability reasons, we highly recommend avoiding WordPress Multisite for the vast majority of projects.

Any of our WordPress plugins may also be loaded as “Must-Use” plugins by using our free Autoloader script in the mu-plugins directory.

Defined Constants

/* Plugin Meta */
define('DISABLE_NAG_NOTICES', true);

Technical Details

  • Parent Plugin: Speed Demon
  • Disable Nag Notices: Yes
  • Settings Page: No
  • PHP Namespaces: No
  • Object-Oriented Code: No
  • Includes Media (images, icons, etc): No
  • Includes CSS: No
  • Database Storage: Yes
    • Transients: No
    • WP Options Table: Yes
    • Other Tables: No
    • Creates New Tables: No
    • Creates New WP Cron Jobs: No
  • Database Queries: Backend Only (Options API)
  • Must-Use Support: Yes
  • Multisite Support: No
  • Uninstalls Data: Yes

Special Thanks

Alex Georgiou, Automattic, Brad Touesnard, Daniel Auener, Delicious Brains, Greg Rickaby, Matt Mullenweg, Mika Epstein, Mike Garrett, Samuel Wood, Scott Reilly, Jan Dembowski, Jeff Starr, Jeff Chandler, Jeff Matson, Jeremy Wagner, John James Jacoby, Leland Fiegel, Luke Cavanagh, Mike Jolley, Pau Iglesias, Paul Irish, Rahul Bansal, Roots, rtCamp, Ryan Hellyer, WP Chat, WP Tavern


We released this plugin in response to our managed hosting clients asking for better access to their server, and our primary goal will remain supporting that purpose. Although we are 100% open to fielding requests from the WordPress community, we kindly ask that you keep these conditions in mind, and refrain from slandering, threatening, or harassing our team members in order to get a feature added, or to otherwise get “free” support. The only place you should be contacting us is in our free Facebook group which has been setup for this purpose, or via GitHub if you are an experienced developer. Thank you!

Our Philosophy

“Decisions, not options.” — WordPress.org

“Everything should be made as simple as possible, but no simpler.” — Albert Einstein

“Write programs that do one thing and do it well… write programs to work together.” — Doug McIlroy

“The innovation that this industry talks about so much is bullshit. Anybody can innovate… 99% of it is ‘Get the work done.’ The real work is in the details.” — Linus Torvalds

Search Keywords

block brute force attacks, brute force attacks, disable, disable pingbacks, disable self ping, disable trackbacks, disable xml-rpc, disable xmlrpc, no self ping, no self pingbacks, no self pinging, no self trackbacks, pingbacks, remove, remove xml-rpc, remove xmlrpc, self ping, trackbacks, xml-rpc, xmlrpc, xmlrpc.php


  1. Upload to /wp-content/plugins/disable-xml-rpc-littlebizzy
  2. Activate via WP Admin > Plugins
  3. Test plugin is working:

After activing the plugin, purge all caches and try loading the /xmlrpc.php URI of your website, and it should result in a 403 Denied error in your browser. In addition, no further pingbacks or trackbacks should appear in the Comments section of your WP Admin Dashboard (nor the frontend in the Comments section of your blog posts and custom post types).


Solved Login Attempts

After installing Limit Log In Attempts & Stealth Login, I was inundated with emails of blocked attempts & lockouts. This had been going on for years & i couldn’t stop these hackers/bots etc from trying to get into my site. I then installed a plugin called WPS Hide Login which changes your login URL but that still didn’t make a difference for some reason.
I just went along for years deleting these emails until my hosting service provider contacted me to say that these visits & constant attempts were using up a lot of something (that i don’t understand…data…bandwith???) & that they were going to shut down my account.
After an online search i found out about Disable XML-RPC & thought i would try it.
It’s worked a treat & 100%. Whatever XML & RPC is i’ve obviously not needed it on my webpage so all is great. I’ve not had a single attempt that i’ve been notified of for 3 weeks now since installing the plugin so i’m more than happy. Thanks for this 5 star plugin.

Thank you!

Very helpful for my site. Thanks for this!

Simple and efficient

Despite hiding wp-login I was getting thousands of brute force login attempts. xml-rpc seemed to be the only possible leak.

So, I installed. I activated. Brute force login attempts stop.

Job done.

Leggi tutte le recensioni di 17

Crediti e riconoscimenti

“Disable XML-RPC” è un software open source. Le persone che hanno contribuito allo sviluppo di questo plugin sono indicate di seguito.


Traduci “Disable XML-RPC” nella tua lingua.

Ti interessa lo sviluppo?

Esplora il Codice segui il Repository SVN iscriviti al Log delle Modifiche. Puoi farlo tramite RSS con un lettore di feed.

Changelog (modifiche)


  • tested with WP 5.0


  • updated recommended plugins


  • optimized plugin code
  • added warning for Multisite installations
  • updated recommended plugins
  • updated plugin meta


  • updated recommended plugins


  • better support for DISABLE_NAG_NOTICES


  • tested with WP 4.9
  • updated plugin meta
  • partial support for DISABLE_NAG_NOTICES


  • optimized plugin code
  • updated recommended plugins
  • added rating request notice


  • optimized plugin code
  • updated recommended plugins


  • added recommended plugins notice


  • initial release