Skip to content

How to disable “XML-RPC” – a popular backdoor that hackers often use to bypass login pages?

XML-RPC is an old protocol that allows for remote connections (e.g., posting from a mobile app). However, nowadays it is the #1 backdoor that hackers use to perform Brute Force attacks (guessing passwords) and overload servers (DDoS).

If you do not use the WordPress app on your phone or the Jetpack plugin, you should disable it immediately.

Here are 2 ways to disable it on Hostinger:

Method 1: Using .htaccess (Strongest & Recommended)

This method blocks requests right at the server door, saving resources for your website.

  1. Go to Hostinger hPanelFile Manager.
  2. Navigate to the public_html folder.
  3. Open the .htaccess file to edit.
  4. Paste the following code at the bottom of the file:

Apache

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
    Order Allow,Deny
    Deny from all
</Files>
  • Result: Anyone trying to access the xmlrpc.php file will get blocked (403 Forbidden error).

Method 2: Using a Plugin (Easiest)

If you are uncomfortable editing code, use a dedicated plugin. It is very lightweight and does exactly one thing.

  1. Go to WordPress Dashboard → PluginsAdd New.
  2. Search for: Disable XML-RPC.
  3. Install and Activate the plugin named “Disable XML-RPC” (by Philip Erb or similar).
  4. That’s it! The plugin automatically disables the feature.

Note: If you are already using Wordfence, you can go to Login SecuritySettings → Check the box Disable XML-RPC authentication.

⚠️ Important Warning

Do NOT disable XML-RPC if:

  1. You use the WordPress Mobile App (iOS/Android) to write posts.
  2. You are using the Jetpack plugin.
  3. You use centralized website management tools (like ManageWP).

If you fall into these categories, do not disable it completely. Instead, rely on blocking strange countries (using the GeoIP method I explained earlier).

See also  How to upload and display a WebGL project on WordPress

Summary of Security Stack

At this point, your website should be very secure with the following layers:

  1. ✅ Blocked countries.
  2. ✅ Blocked unwanted countries (GeoIP) for the admin login page.
  3. ✅ Hidden the login URL (/wp-admin changed to a secret name).
  4. ✅ Closed the XML-RPC backdoor.

Next Step: The final and most important layer of defense is Two-Factor Authentication (2FA). Even if a hacker knows your password and finds your login URL, they cannot enter without the code from your phone.

Leave a Reply

error: Content is protected !!