Restrict XML-RPC

What This Does 
 This protection restricts or disables access to the WordPress XML-RPC interface. 
 It reduces exposure to certain types of automated attacks that target this endpoint. 
 
 Why It Matters 
 XML-RPC is a remote access feature that allows external systems to interact with your WordPress site. 
 While useful in some cases, it is commonly targeted for: 
 
 brute force login attacks 
 pingback and amplification attacks 
 automated abuse of authentication endpoints 
 
 If not needed, leaving XML-RPC enabled increases your attack surface. 
 
 When to Apply It 
 This protection is recommended for most WordPress sites. 
 Apply it when: 
 
 you do not use XML-RPC functionality 
 your site does not rely on remote publishing tools 
 you want to reduce exposure to automated attacks 
 
 
 When Not to Apply It 
 Do not apply this protection if your site depends on XML-RPC. 
 This may include: 
 
 certain mobile apps 
 remote publishing tools 
 integrations that rely on XML-RPC 
 
 If unsure, apply cautiously and test functionality. 
 
 How Steel Security Applies This 
 Steel Security restricts access to the XML-RPC endpoint ( xmlrpc.php ). 
 Depending on your environment, this may include: 
 
 blocking access at the server level 
 limiting allowed request types 
 restricting access to specific conditions 
 
 This prevents unauthorized or unnecessary use of the interface. 
 
 What to Expect After Applying 
 After applying this protection: 
 
 XML-RPC requests will be blocked or restricted 
 automated attacks targeting the endpoint will be reduced 
 your site functionality will remain unchanged if XML-RPC is not in use 
 
 
 How to Verify 
 To verify the protection: 
 
 Attempt to access /xmlrpc.php in your browser 
 Confirm that access is denied or restricted 
 
 Expected results include: 
 
 a 403 Forbidden response 
 a blocked or limited response 
 
 
 How to Revert (Rollback) 
 To revert this protection: 
 
 Navigate to the hardening section in Steel Security 
 Disable the control 
 Confirm the change 
 Re-test any integrations that rely on XML-RPC 
 
 
 Common Issues 
 Remote Publishing Stops Working 
 This indicates XML-RPC was in use. 
 If needed: 
 
 revert the change 
 confirm which tool requires XML-RPC 
 consider alternative APIs (e.g., REST API) 
 
 
 Endpoint Still Accessible 
 
 verify server rules are applied correctly 
 check for caching or proxy interference 
 confirm no conflicting configuration exists 
 
 
 Unexpected Behavior 
 
 test all integrations after applying 
 revert if functionality is impacted 
 apply more targeted restrictions if needed 
 
 
 Related 
 
 Disable File Editing in Admin 
 Protect Configuration Files 
 Safe Rollback Practices