How to block access to xmlrpc.php in your .htaccess file

By default, wordpress has the xmlrpc.php file enabled and publicly view-able. Unfortunately, the xmlrpc.php file is one of the most commonly abused parts of wordpress. When it is abused, it can not only cause your site to use up an excessive amount of server resources, it is also likely being used to attack another website through some form of pingback attack.

We’ve noticed very few clients who actually use the xmlrpc.php file and most can safely disable this without any negative impact on their site. However, there are some plugins that do rely on the xmlrpc.php functionality, so test your site after you implement this fix.

If you are curious about the xmlrpc.php file and what it does, the quick and dirty overview is that it allow remote applications & services to connect to and interact with your wordpress site. There are some 3rd party publishing apps you can use instead of logging into the wordpress admin area that rely on the xmlrpc.php functionality for example. You can read more here: https://codex.wordpress.org/XML-RPC_Support

To block the xmlrpc.php and prevent or stop any abuse, simply open up your .htaccess file and add the following to the bottom of the file:

<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

If you have a service that you know uses the xmlrpc.php functionality and you have the IP’s they are connecting from you can alter the above code to allow only those IP’s to access it, preventing abuse from anyone else, like so:

<Files xmlrpc.php>
order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx
</Files>

Replacing the xxx.xxx.xxx.xxx with the IP of the service you wish to have access your xmlrpc.php file.