Disable WordPress's XML-RPC API

The XML-RPC API in WordPress has been the entry point of a lot of exploits throughout the years, and the recommendation many have had it to disable it, either through the removal of the file itself, use of access control, or plugins or filters.

Not everyone has the ability to configure their servers to deny access to /xmlrpc.php. Fortunately, even without the ability to write custom access rules either in the server block configuration or use of .htaccess, there’s still a way to deal with this.

Enter WordPress filters.

Definifing the filter xmlrpc_enabled somewhere in your code is a common recommendation. However, simply setting the xmlrpc_enabled filter doesn’t fully disable the XML-RPC API. Referencing the source we can see this is the case:

Contrary to the way it’s named, this filter does not control whether XML-RPC is fully enabled, rather, it only controls whether XML-RPC methods requiring authentication - such as for publishing purposes - are enabled.

Looking further down (that is, a couple of paragraphs later) there’s the following text:

For more granular control over all XML-RPC methods and requests, see the ‘xmlrpc_methods’ and ‘xmlrpc_element_limit’ hooks.

The xmlrpc_methods filter’s documentation further says:

This filter can be used to add new methods, and remove built-in methods.

So, loaded with this information, we can construct the following lines of highly advanced code:

<?php

add_filter( 'xmlrpc_enabled', '__return_false' );
add_filter( 'xmlrpc_methods', '__return_empty_array' );

The xmlrpc_methods filter takes an array of names for which functions to enable. Passing an empty array disables all the functions offered by the API.

Technically you should only need to define the xmlrpc_methods filter, but I’d like to make sure the cursed thing is really and truly disabled.

All that written, if you happen to rely on the API there’s of course little you can do other than to IP limit the access to it. But you probably wouldn’t be reading this if you did.