How to Disable XML-RPC in WordPress Safely

Disabling XML-RPC is a common security hardening step, though modern WordPress core has mitigated many of the original brute force vulnerabilities. medium confidence based on 8 community reports

Disabling XML-RPC is a common security hardening step, though modern WordPress core has mitigated many of the original brute force vulnerabilities.

Based on 8 community reports.

Linked sources: 8.

Known Issues

Modifying core files directly is overwritten by WordPress updates
Some legacy mobile apps or external services may require XML-RPC to function

Community Q&A

Should I disable xmlrpc.php on my WordPress site?

If you do not use the WordPress mobile app or external services that rely on XML-RPC, disabling it is a recommended security hardening practice.

How do I disable XML-RPC in WordPress?

The safest way is to use a security or optimization plugin like Admin and Site Enhancements (ASE) or Perfmatters to handle the configuration.

Will WordPress updates re-enable XML-RPC?

If you modify or delete the core xmlrpc.php file, WordPress updates will overwrite your changes, so using a plugin is the preferred method.

Reddit Sources

PSA - if Cloudflare cache rate of your WordPress suddenly drops, check xmlrpc.php. Just caught a 288k-request/day brute force attack using this (r/Wordpress)
Removing Feeds, XML, Emojis, etc. (r/Wordpress)
EasyInstall - The WordPress Stack That Heals Itself (AI-Powered + Per-Site Redis) 🤖💪 (r/Wordpress)
Top 5 Ways WordPress Sites Get Compromised (and how to fix them) (r/Wordpress)
The “boring” WordPress ops stack that stops 90% of downtime, hacks, and surprise bills (a practical playbook) (r/Wordpress)
Guide to securing your WordPress site (r/Wordpress)
Disable XMLRPC.PHP (r/Wordpress)
Help site compromised (r/Wordpress)