Disable XML-RPC-API
A simple and lightweight plugin to disable XML-RPC API, X-Pingback and pingback-ping in WordPress 3.5+ for a faster and more secure website
4.1(42 reviews)
·100K+ active installs·Updated 1 month agoAs of April 2026, Disable XML-RPC-API is a WordPress xmlrpc plugin with 100K+ active installations and a 4.1/5 rating from 42 reviews. It has been downloaded 796K+ times in total. Requires WordPress 5.0+ and PHP false+. Available on WordPress.org since 2020. Recently updated within the last 3 months. Download volume is stable this week. Top alternative: Disable XML-RPC.
4.1/542 reviews
100K+active installs
796K+total downloads
6 yearssince 2020
Overview
Protect your website from xmlrpc brute-force attacks,DOS and DDOS attacks, this plugin disables the XML-RPC and trackbacks-pingbacks on your WordPress website.
PLUGIN FEATURES
(These are options you can enable or disable each one)
- Disable access to xmlrpc.php file using .httacess file
- Automatically change htaccess file permission to read-only (0444)
- Disable X-pingback to minimize CPU usage
- Disable selected methods from XML-RPC
- Remove pingback-ping link from header
- Disable trackbacks and pingbacks to avoid spammers and hackers
- Rename XML-RPC slug to whatever you want
- Black list IPs for XML-RPC
- White list IPs for XML-RPC
- Some options to speed-up your wordpress website
- Disable JSON REST API
- Hide WordPress Version
- Disable built-in WordPress file editor
- Disable wlw manifest
- And some other o…
Screenshots
Ratings & Reviews
4.142 reviews
5 ★
32
4 ★
0
3 ★
1
2 ★
2
1 ★
7
Recent Reviews
does what it should
by bugscout·6 months ago
i tried 3 plugins, this does what it should 🙂
Harmful
by firafiki·7 months ago·1 reply
Website crashed error 500 server. All php files was modified. But i’m not sure who dumb person downloaded at my company website. 4 days to settled all the issues.
Error
by elmo2000·2 years ago·3 replies
My whole site crashed . 500 server error. (.htacces failure) Unistalled, found another solution.
Hotlinking
by ajaxy12·2 years ago·1 reply
Could you please add capability to exclude spesific domain names from Disable Hotlinking and Leaching of Your Content section?
We want to show some of our content on other webiste via iframe
DO NOT INSTALL THIS! **PHP BACKDOOR**
by ben2358723823567·2 years ago·2 replies
WARNING! This extension will sneakily inject obfuscated yanz backdoor PHP scripts in your document root and will hijack your WordPress site. THREE of my customers websites were hacked this week and the ONLY extension that they all have in common that recently got installed is Disable XML-RPC-API. They literally have nothing else in common and they don’t know each other nor use the same theme nor even the same WordPress release. BE WARNED.
Download Trends
Today: 156Yesterday: 206This week: 1KPeriod total: 107K
Compatibility
| WordPress | 5.0+ requiredTested up to 6.9.4 |
| PHP | false+ required |
Version Adoption
v2.1
99.5%
Other
0.5%
Top Alternatives to Disable XML-RPC-API
Frequently Asked Questions
Changelog
1.0.0
- Initial release
Contributors
Plugin data sourced from WordPress.org. Analysis and metrics by PluginSift.