Restrict XML-RPC

What This Does

This protection restricts or disables access to the WordPress XML-RPC interface.

It reduces exposure to certain types of automated attacks that target this endpoint.

Why It Matters

XML-RPC is a remote access feature that allows external systems to interact with your WordPress site.

While useful in some cases, it is commonly targeted for:

If not needed, leaving XML-RPC enabled increases your attack surface.

When to Apply It

This protection is recommended for most WordPress sites.

Apply it when:

you do not use XML-RPC functionality
your site does not rely on remote publishing tools
you want to reduce exposure to automated attacks

When Not to Apply It

Do not apply this protection if your site depends on XML-RPC.

This may include:

certain mobile apps
remote publishing tools
integrations that rely on XML-RPC

If unsure, apply cautiously and test functionality.

How Steel Security Applies This

Steel Security restricts access to the XML-RPC endpoint (xmlrpc.php).

Depending on your environment, this may include:

blocking access at the server level
limiting allowed request types
restricting access to specific conditions

This prevents unauthorized or unnecessary use of the interface.

What to Expect After Applying

After applying this protection:

XML-RPC requests will be blocked or restricted
automated attacks targeting the endpoint will be reduced
your site functionality will remain unchanged if XML-RPC is not in use

How to Verify

To verify the protection:

Attempt to access /xmlrpc.php in your browser
Confirm that access is denied or restricted

Expected results include:

a 403 Forbidden response
a blocked or limited response

How to Revert (Rollback)

To revert this protection:

Navigate to the hardening section in Steel Security
Disable the control
Confirm the change
Re-test any integrations that rely on XML-RPC

Common Issues

Remote Publishing Stops Working

This indicates XML-RPC was in use.

If needed:

revert the change
confirm which tool requires XML-RPC
consider alternative APIs (e.g., REST API)

Endpoint Still Accessible

verify server rules are applied correctly
check for caching or proxy interference
confirm no conflicting configuration exists

Unexpected Behavior

test all integrations after applying
revert if functionality is impacted
apply more targeted restrictions if needed

Uploads PHP Execution Protection

Block Direct PHP Access

Prevent Execution in Sensitive Directories

Disable Directory Listing

Protect Backup Files

Protect Configuration Files

Disable Debug Mode

Disable File Editing in Admin

Restrict XML-RPC

Security Headers Overview

Content Security Policy (CSP)

X-Frame-Options

X-Content-Type-Options

Referrer-Policy

Hide Version Information

Restrict Sensitive Endpoints

Limit Exposure of System Info

Apache (.htaccess) Hardening

Nginx Hardening

IIS (web.config) Hardening

Restrict XML-RPC

What This Does

Why It Matters

When to Apply It

When Not to Apply It

How Steel Security Applies This

What to Expect After Applying

How to Verify

How to Revert (Rollback)

Common Issues

Remote Publishing Stops Working

Endpoint Still Accessible

Unexpected Behavior

Uploads PHP Execution Protection

Block Direct PHP Access

Prevent Execution in Sensitive Directories

Disable Directory Listing

Protect Backup Files

Protect Configuration Files

Disable Debug Mode

Disable File Editing in Admin

Restrict XML-RPC

Security Headers Overview

Content Security Policy (CSP)

X-Frame-Options

X-Content-Type-Options

Referrer-Policy

Hide Version Information

Restrict Sensitive Endpoints

Limit Exposure of System Info

Apache (.htaccess) Hardening

Nginx Hardening

IIS (web.config) Hardening

Restrict XML-RPC

What This Does

Why It Matters

When to Apply It

When Not to Apply It

How Steel Security Applies This

What to Expect After Applying

How to Verify

How to Revert (Rollback)

Common Issues

Remote Publishing Stops Working

Endpoint Still Accessible

Unexpected Behavior

Related