Write Review

How to Disable the XML-RPC WordPress File Using cPanel

Dealing with a new concept can be frustrating. While running a WordPress website, you must embrace your technical skills as much as you can.

As you already know, millions of websites get hacked every year, and you don't want to include your website in the list.

So, it's important to take care of every possible vulnerability. In the past few years, WordPress has changed the status of XML-RPC file. First of all, you should know what's the tutorial is about.

When you handle any of the parts of your WordPress website remotely, you require an XMLRPC file access. Many people use IFTTT for social media posts automation.

It's believed that people who use Windows Live Writer also need to use the XML-RPC file. Before WordPress. 3.5, there was an option to enable or disable such a file, but not anymore.

Many people don't even care. According to some experts, such a file doesn't put any impact on your website because the coding standard has improved a lot.

But if you ever decide to come across disabling it, this tutorial is for you.

Use the .htaccess File to Disable XML-RPC

As you already know, .htaccess is one of the essential files of a WordPress website, you need to make sure you use it correctly.

Make sure you backup your WordPress website and its database before making any changes. It's because you wouldn't want to break your website because of a few lines of the code.

If you're scared of editing the coding file, you can also use a plugin to disable XML-RPC. But as always said, you shouldn't use a plugin if you can accomplish the same task manually.

Adding the code is a one-time thing, and the best part is you need to copy and paste it.

Follow the steps

Step 1:

Login to your cPanel account and look for the file manager, in which all the data of your WordPress site is residing.

How to Disable the XML-RPC WordPress File Using cPanel

A fewweb hosting companies may have a different layout then you can see in the screenshot. It's because every company tries to maintain its brand color.

But you don't need to worry about finding the file manager icon; it's easy to notice while scrolling through cPanel.

Step 2:

A few web hostings allow you to choose the directory you want to open when clicking on the file manager icon.

Choose to open the public_html directory.

How to Disable the XML-RPC WordPress File Using cPanel

If you directly come up with a new page, it's possible that you see the home directory. Click on the public_html link from the left-hand sidebar of cPanel.

Step 3:

If you run a single website on the host, you can find the .htaccess file in the public_html directory.

Otherwise, you need to open the folder where the WordPress installation is available.

How to Disable the XML-RPC WordPress File Using cPanel

In case, you don't see the file; it's because .htaccess is a hidden file and you need to change the settings to display hidden files by navigating to the gearbox icon from the top-right corner.

Step 4:

Once you find the .htaccess file, right-click and choose Edit. As always, you can also select the traditional Edit option from the main navigation menu of cPanel.

How to Disable the XML-RPC WordPress File Using cPanel

Step 5:


A popup appears to allow you to disable encoding. All you need to do is to click on the Edit button, and a new tab appears in the browser.

How to Disable the XML-RPC WordPress File Using cPanel

Step 6:

You can see tons of coding lines. Copy and paste the code showing below before #End WordPress.

# Block XML-RPC
<Files xmlrpc.php>
order deny,allow
deny from all
allow from

Click on the Save Changes button from the top-right corner, and you're all set. From now onwards, you don't need to worry about any remote access which may lead to a website hack.

As I have already mentioned, the file used to control the remote access to your site; now as you have disabled it, you can't do that.

I Hope You have Understood the Concept

I remember when I used to fret because of such a new concept about WordPress. Although nowadays, most of the WordPress web hosting companies are taking care of the security, you must understand every possible concept.

Securing your WordPress website is essential, and the first step is to keep doing regular backups of your site and its database.


If you don't access your website remotely using any third-party tool, you don't need an XML-RPC file. You can disable it any time you want.

I hope it's not so hard to disable such a file.

Check out these top 3 WordPress hosting services:

Was this article helpful?